Make WordPress Core

Opened 10 months ago

Closed 10 months ago

Last modified 9 months ago

#58937 closed defect (bug) (duplicate)

.sig missing for plugin-zip signature validation

Reported by: threadi's profile threadi Owned by:
Milestone: Priority: normal
Severity: minor Version:
Component: Upgrade/Install Keywords:
Focuses: Cc:

Description

Running

wp plugin install akismet

results in:

Installing Akismet Anti-Spam: Spam Protection (5.2)
Downloading installation package from https://downloads.wordpress.org/plugin/akismet.5.2.zip...
The authenticity of akismet.5.2.zip could not be verified as no signature was found.
Unpacking the package...
Installing the plugin...
Plugin installed successfully.
Success: Installed 1 of 1 plugins.

The part "could not be verified as no signature was found" is an output from here:
https://github.com/WordPress/WordPress/blob/6.2-branch/wp-admin/includes/file.php#L1445

Reason is that here
https://github.com/WordPress/WordPress/blob/6.2-branch/wp-admin/includes/file.php#L1271
we try to download a .sig-file of the requested plugin which does not exist on downloads.wordpress.org.

Examples:
https://downloads.wordpress.org/plugin/akismet.5.2.zip.sig
https://downloads.wordpress.org/plugin/woocommerce.7.9.0.zip.sig
.. and also many others. I could not find any .sig-file for any plugin atm.

Is there any reason this .sig-files are not created on wordpress.org for each plugin?

I'm unsure if this is a core- or a meta-question :-)

Tried with:

  • WordPress 6.2.2 and 6.3-rc2
  • without any active plugins
  • with TwentyTwentyOne as theme

Hint: the message is only visible with WP_DEBUG = true.

Change History (2)

#1 @rajinsharwar
10 months ago

  • Resolution set to duplicate
  • Status changed from new to closed

Duplicate of #47315.

More definitive information on this;

Signature verification is not yet enabled, so this message is expected to be displayed.
[44954] introduced experimental package signature verification. However, there were some difficult problems identified that need to be solved in order to securely use this feature in practice. You can read more about this here https://make.wordpress.org/core/2019/08/16/ssl-for-auto-updates/.

Reference - https://core.trac.wordpress.org/ticket/49004#comment:4

#2 @desrosj
9 months ago

  • Component changed from Plugins to Upgrade/Install
  • Milestone Awaiting Review deleted
Note: See TracTickets for help on using tickets.