Verify signatures when downloading packages #247
Conversation
costdev
force-pushed
the
verify_signature_on_download
branch
from
8c48893 to
a1b0f1e
Compare
kasparsd
left a comment
kasparsd
left a comment
There was a problem hiding this comment.
Thanks for working on this!
Please see the comments inline for feedback. I believe we might want to adjust the return value of the upgrader_pre_download filter to ensure it stops WP core from downloading the package if the verification fails.
|
I'm thinking about the alternative workflows where this could apply. Will this apply to the |
Yeah this should work with the
Yes I believe so. The FAIR plugin sets up the Updater for each installed package on init. The I'm not sure whether this is the case when uploading a new package though. I expect that is different. |
Yeah, there is no reliable way to determine the package vendor if we only have the ZIP. For a secure installation users should use the We could attempt to extract the vendor I love the did installer! Such a simple UI for a super-secure installer. |
|
FYI: After chatting with @rmccue, I'm going to rework some of this to use a subclass of the |
costdev
force-pushed
the
verify_signature_on_download
branch
from
7d438d7 to
9c8ee6e
Compare
costdev
force-pushed
the
verify_signature_on_download
branch
from
bd2b3af to
488bd27
Compare
Signed-off-by: costdev <[email protected]>
verify_file_signature() is documented to return bool|WP_Error, with false meaning verification was not attempted. However, the function's code doesn't actually return false. Signed-off-by: costdev <[email protected]>
Signed-off-by: costdev <[email protected]>
Signed-off-by: costdev <[email protected]>
Signed-off-by: costdev <[email protected]>
Signed-off-by: costdev <[email protected]>
The plugin will include distribution dependencies, whereas workflows install development dependencies too, so this check will always fail. Signed-off-by: costdev <[email protected]>
Signed-off-by: costdev <[email protected]>
Signed-off-by: costdev <[email protected]>
This was previously sending the whole key object, resulting in a Fatal Error. Signed-off-by: costdev <[email protected]>
Signed-off-by: costdev <[email protected]>
This reverts commit e430753. Signed-off-by: costdev <[email protected]>
This reverts commit ca4c5ea. Signed-off-by: costdev <[email protected]>
This reverts commit be67b25. Signed-off-by: costdev <[email protected]>
Signed-off-by: costdev <[email protected]>
Signed-off-by: costdev <[email protected]>
Signed-off-by: costdev <[email protected]>
Signed-off-by: costdev <[email protected]>
Signed-off-by: costdev <[email protected]>
Signed-off-by: costdev <[email protected]>
…ater\Updater`. Signed-off-by: costdev <[email protected]>
Signed-off-by: costdev <[email protected]>
costdev
force-pushed
the
verify_signature_on_download
branch
from
696e20a to
3ac5dac
Compare
|
The force-push was a rebase on |
Every FAIR package hooks to verify signature on download. Simply using `md5( $package )` to protect against an infinite loop is overkill, because if some other FAIR package checks for a matching URL first, the actual matching FAIR package will bail out. Example: - User clicks to install FAIR Plugin B. - FAIR Plugin A's filter runs first (alphabetical order). `$has_run[ md5( $package ) ]` is set. - FAIR Plugin B's filter runs. `$has_run[ md5( $package ) ]` has already been set, so it bails. - FAIR Plugin B's package doesn't get signature verification. To resolve this, each FAIR package's filter now uses `md5( $this->did . '_' . $package )`, which is specific to _that package_ for _that URL_. Signed-off-by: costdev <[email protected]>
|
In fairpm/fair-beacon#52 we switched the signature algorithm to sha384, which I think was the last blocker here. @costdev is this now ready for review/merge? |
|
@rmccue Yes, ready for review, testing and merge. At the moment, you can test by enabling signature verification and installing Git Updater via Direct Install - MU Plugin to enable signature verification: <?php
/**
* Plugin Name: FAIR: Verify Package Signatures
* Description: Enables FAIR package signature verification
* Author: FAIR Contributors
* License: GPLv2 or later
* Version: 1.0.0
*/
add_filter( 'fair.packages.updater.verify_signatures', '__return_true' ); |
Signed-off-by: costdev <[email protected]>
|
I've added an **DO NOT MERGE WITH THIS |
|
I now see this issue 
|
|
If the package is not yet installed then |
|
That's related to another PR. I'll get that fixed shortly. |
|
|
Cache issue. All working/verifying. |
Signed-off-by: costdev <[email protected]>
| return $result; | ||
| } | ||
|
|
||
| ( new Updater\Updater( $did ) )->run(); |
There was a problem hiding this comment.
For the future: we should rename this method to be clearer, and move some of the global state checks out of it.
Signed-off-by: costdev <[email protected]>
4 participants
See #231
This PR introduces signature verification for packages. The PR still needs initial testing.
Approach
The
'upgrader_pre_download'hook is used to:The callback includes guards and clean up surrounding the steps above.
Using this particular hook means minimal duplication of Core's code while returning back into Core's process as soon as possible.
New dependency
This PR introduces yocLib - Multibase as a dependency. This is used to convert signing keys from Base58BTC to Base64. While we could use another implementation, this is used elsewhere in the project and I erred on the side of getting something testable out quicker.
Pre-merge note
If we continue with this dependency, or find another external dependency, the bundler script will need to be checked to ensure it includes/excludes files as its supposed to. This should be done before this PR is merged.
Testing
Ensure you have enabled signature verification. You can drop this into a file in
wp-content/mu-plugins: