#58937 closed defect (bug) (duplicate)
.sig missing for plugin-zip signature validation
Reported by: | threadi | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | minor | Version: | |
Component: | Upgrade/Install | Keywords: | |
Focuses: | Cc: |
Description
Running
wp plugin install akismet
results in:
Installing Akismet Anti-Spam: Spam Protection (5.2) Downloading installation package from https://downloads.wordpress.org/plugin/akismet.5.2.zip... The authenticity of akismet.5.2.zip could not be verified as no signature was found. Unpacking the package... Installing the plugin... Plugin installed successfully. Success: Installed 1 of 1 plugins.
The part "could not be verified as no signature was found" is an output from here:
https://github.com/WordPress/WordPress/blob/6.2-branch/wp-admin/includes/file.php#L1445
Reason is that here
https://github.com/WordPress/WordPress/blob/6.2-branch/wp-admin/includes/file.php#L1271
we try to download a .sig-file of the requested plugin which does not exist on downloads.wordpress.org.
Examples:
https://downloads.wordpress.org/plugin/akismet.5.2.zip.sig
https://downloads.wordpress.org/plugin/woocommerce.7.9.0.zip.sig
.. and also many others. I could not find any .sig-file for any plugin atm.
Is there any reason this .sig-files are not created on wordpress.org for each plugin?
I'm unsure if this is a core- or a meta-question :-)
Tried with:
- WordPress 6.2.2 and 6.3-rc2
- without any active plugins
- with TwentyTwentyOne as theme
Hint: the message is only visible with WP_DEBUG = true.
Duplicate of #47315.
More definitive information on this;
Signature verification is not yet enabled, so this message is expected to be displayed.
[44954] introduced experimental package signature verification. However, there were some difficult problems identified that need to be solved in order to securely use this feature in practice. You can read more about this here https://make.wordpress.org/core/2019/08/16/ssl-for-auto-updates/.
Reference - https://core.trac.wordpress.org/ticket/49004#comment:4