#60871 closed defect (bug) (duplicate)
Sign releases (PGP, GPG)
Reported by: | maltfield | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | |
Component: | Upgrade/Install | Keywords: | |
Focuses: | Cc: |
Description
Currently it is not possible to verify the authenticity or cryptographic integrity of the downloads from wordpress.org because the releases are not cryptographically signed.
This makes it hard for wordpress admins to safely obtain the wordpress software, and it introduces them (and potentially their customer's data) to supply chain attacks.
Steps to Reproduce
- Go to the https://wordpress.org/download/ page
- Search the page for "signature" or "verify" and see nothing
- ???
- Get confused and open ticket
Expected behavior: [What you expected to happen]
A few things are expected:
- I should be able to download the wordpress PGP key out-of-band from popular third-party keyservers (eg https://keys.openpgp.org/)
- I should be able to download a cryptographic signature of the release (or, better, the releases' digest file, such as a
SHA256SUMS.asc
file) along with the release itself - The downloads page itself should include a link to the documentation page that describes how to do the above two steps
Actual behavior: [What actually happened]
There's just literally no information on verifying downloads, and it appears that it is not possible to do so.
Versions
Everything, all versions. Plugins too.
Change History (10)
#2
@
9 months ago
To see how this was implemented in a similar open source project, consider MediaWiki:
The download page for MediaWiki (see above) has a section titled "Signature downloads" which
- Has a link for downloading the cryptographic signature of the latest release
- Has a link for downloading the public keys that are used to sign the releases
This is not an ideal example, but it is a bare minimum that would satisfy this ticket.
#5
@
8 months ago
@chesio to be clear, this issue is very different from #39309.
The ask in #39309 requires updating the wordpress code to verify updates in-app. That's a very difficult thing to do, and it's no surprise that it's taken years.
The ask in this ticket requires no code changes. It's a process change that only requires a human to issue a gpg
command to create a signature file and upload it along with the release when a release is created.
This is low-hanging fruit that can drastically increase the security of wordpress installs with very minimal effort.
#6
@
8 months ago
- Resolution set to invalid
- Status changed from new to closed
@maltfield I see now. When reading your request I got immediately reminded about that old issue and consequently I misunderstood what you actually request here.
As far as I can tell, WordPress.org already offers MD5 and SHA1 hashes for verification of downloaded archive files - see: https://wordpress.org/download/releases/
If you would like to have cryptographic signatures available as well, then you should raise your concerns in Trac repository for WordPress.org (the website): https://meta.trac.wordpress.org/ This Trac repository is for WordPress core (the software).
I originally inquired about this on the wordpress support forums, but a moderator there sent be to the ticket system (here)