Make WordPress Core

Opened 5 years ago

Last modified 32 hours ago

#47315 assigned defect (bug)

Download authenticity message has no actionability

Reported by: jipmoors's profile jipmoors Owned by: audrasjb's profile audrasjb
Milestone: 6.6 Priority: normal
Severity: normal Version: 5.2
Component: Upgrade/Install Keywords: has-patch dev-feedback
Focuses: ui, administration, ui-copy Cc:



While testing some upgrades of themes I noticed the following message:

The authenticity of could not be verified as no signature was found.

As a user I have no idea what this means and more importantly, what I can do about it.

Proposed solution

Add more context about what it means, why it is a not a blocker (soft-fail) when this is the case.
This could be a page on or explained in-line.

Provide a context on where this should be solved, locally/server/


I would have expected the theme update to be verified as it is downloaded from directly.

Change History (21)

This ticket was mentioned in Slack in #accessibility by afercia. View the logs.

5 years ago

#3 @karmatosed
5 years ago

  • Keywords needs-design-feedback added

#4 @afercia
5 years ago

  • Keywords needs-copy-review added; needs-design-feedback removed
  • Milestone changed from Awaiting Review to Future Release

Discussed during today's accessibility bug-scrub. Pinging @pento as the Upgrade/Install component maintainer.

Also relevant:

Copy could be improved here. The part The authenticity of could not be verified is already a bit hard to get for non-tech-savvy users. Then, when it comes to signature, it's probably a bit too much technical :)

Pinging also @marybao

Version 0, edited 5 years ago by afercia (next)

#5 @Hareesh Pillai
5 years ago

  • Focuses ui-copy added

#6 @SergeyBiryukov
4 years ago

#51428 was marked as a duplicate.

#7 @SergeyBiryukov
4 years ago

#47343 was marked as a duplicate.

#8 @SergeyBiryukov
4 years ago

#51672 was marked as a duplicate.

#9 @bridgetwillard
3 years ago

Happy to write copy, y'all. I'll need a bit more information.

What does it mean that the file wasn't verified?
What is the signature?
What is the solution?


#10 @s0what
3 years ago

Is this fixed now? Because I got this message when upgrading to 5.7
If this is not fixed, please remove the message!

#11 @SergeyBiryukov
3 years ago

#54495 was marked as a duplicate.

This ticket was mentioned in Slack in #core by sergey. View the logs.

2 years ago

This ticket was mentioned in Slack in #core by redsweater. View the logs.

13 months ago

#14 @rajinsharwar
10 months ago

#58937 was marked as a duplicate.

#15 @rajinsharwar
10 months ago

My suggestion would be to add a message like "You can safely ignore" to the message until the feature is redesigned, or just completely remove until it's fully ready.

#16 @joedolson
9 months ago

  • Focuses accessibility removed

#17 @audrasjb
2 weeks ago

  • Milestone changed from Future Release to 6.6
  • Owner set to audrasjb
  • Status changed from new to assigned

Hello there,

I'd like to suggest removing this message until the feature is ready to ship completely, since the "issue" (or rather the "non issue") is regularly pointed out by people on forums or during training sessions.

Worth noting that it would be nice to update the key and the related docblock in wp-admin/includes/file.php, too:

if ( time() < 1617235200 ) {
	// Key #1 - This key is only valid before April 1st, 2021.
	$trusted_keys[] = 'fRPyrxb/MvVLbdsYi+OOEv4xc+Eqpsj+kkAS6gNOkI0=';

Moving for 6.6 consideration.

#18 @johnbillion
13 days ago

  • Keywords needs-copy-review removed

The security team is in agreement that this message should be removed until software signing is fully implemented on

#19 @audrasjb
8 days ago

Thanks for sharing this in the security team channel.
I'll make sure we have a patch ready to ship before beta 1.

This ticket was mentioned in PR #6648 on WordPress/wordpress-develop by @audrasjb.

32 hours ago

  • Keywords has-patch added; needs-patch removed

#21 @audrasjb
32 hours ago

  • Keywords dev-feedback added

PR6648 disables package signature verification.

Alternatively, we can also just remove the WP_Error messages. What do you think @johnbillion?

Note: See TracTickets for help on using tickets.