Make WordPress Core

Opened 3 weeks ago

Closed 8 days ago

Last modified 7 days ago

#60871 closed defect (bug) (duplicate)

Sign releases (PGP, GPG)

Reported by: maltfield's profile maltfield Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version:
Component: General Keywords:
Focuses: Cc:

Description

Currently it is not possible to verify the authenticity or cryptographic integrity of the downloads from wordpress.org because the releases are not cryptographically signed.

This makes it hard for wordpress admins to safely obtain the wordpress software, and it introduces them (and potentially their customer's data) to supply chain attacks.

Steps to Reproduce

  1. Go to the https://wordpress.org/download/ page
  2. Search the page for "signature" or "verify" and see nothing
  3. ???
  4. Get confused and open ticket

Expected behavior: [What you expected to happen]

A few things are expected:

  1. I should be able to download the wordpress PGP key out-of-band from popular third-party keyservers (eg https://keys.openpgp.org/)
  2. I should be able to download a cryptographic signature of the release (or, better, the releases' digest file, such as a SHA256SUMS.asc file) along with the release itself
  3. The downloads page itself should include a link to the documentation page that describes how to do the above two steps

Actual behavior: [What actually happened]

There's just literally no information on verifying downloads, and it appears that it is not possible to do so.

Versions

Everything, all versions. Plugins too.

Change History (8)

#1 @maltfield
3 weeks ago

I originally inquired about this on the wordpress support forums, but a moderator there sent be to the ticket system (here)

#2 @maltfield
3 weeks ago

To see how this was implemented in a similar open source project, consider MediaWiki:

The download page for MediaWiki (see above) has a section titled "Signature downloads" which

  1. Has a link for downloading the cryptographic signature of the latest release
  2. Has a link for downloading the public keys that are used to sign the releases

This is not an ideal example, but it is a bare minimum that would satisfy this ticket.

#4 @chesio
9 days ago

@maltfield These issues have been already discussed in #39309 (for WordPress core) and #49200 (for plugins), however there has been no progress for years now...

#5 @maltfield
8 days ago

@chesio to be clear, this issue is very different from #39309.

The ask in #39309 requires updating the wordpress code to verify updates in-app. That's a very difficult thing to do, and it's no surprise that it's taken years.

The ask in this ticket requires no code changes. It's a process change that only requires a human to issue a gpg command to create a signature file and upload it along with the release when a release is created.

This is low-hanging fruit that can drastically increase the security of wordpress installs with very minimal effort.

#6 @chesio
8 days ago

  • Resolution set to invalid
  • Status changed from new to closed

@maltfield I see now. When reading your request I got immediately reminded about that old issue and consequently I misunderstood what you actually request here.

As far as I can tell, WordPress.org already offers MD5 and SHA1 hashes for verification of downloaded archive files - see: https://wordpress.org/download/releases/

If you would like to have cryptographic signatures available as well, then you should raise your concerns in Trac repository for WordPress.org (the website): https://meta.trac.wordpress.org/ This Trac repository is for WordPress core (the software).

#7 @maltfield
7 days ago

ok, I opened a a new ticket to replace this one here:

#8 @dd32
7 days ago

  • Resolution changed from invalid to duplicate

I recognise that this and #39309 are intended differently; but it's close enough that the discussion can continue there.

Note: See TracTickets for help on using tickets.