[wp-trac] [WordPress Trac] #60871: Sign releases (PGP, GPG)
WordPress Trac
noreply at wordpress.org
Sun Mar 31 19:13:51 UTC 2024
#60871: Sign releases (PGP, GPG)
--------------------------+-----------------------------
Reporter: maltfield | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: General | Version:
Severity: normal | Keywords:
Focuses: |
--------------------------+-----------------------------
Currently it is not possible to verify the authenticity or cryptographic
integrity of the downloads from wordpress.org because the releases are not
cryptographically signed.
This makes it hard for wordpress admins to safely obtain the wordpress
software, and it introduces them (and potentially their customer's data)
to supply chain attacks.
== Steps to Reproduce
1. Go to the https://wordpress.org/download/ page
2. Search the page for "signature" or "verify" and see nothing
3. ???
4. Get confused and open ticket
== Expected behavior: [What you expected to happen]
A few things are expected:
1. I should be able to download the wordpress PGP key out-of-band from
popular third-party keyservers (eg https://keys.openpgp.org/)
2. I should be able to download a cryptographic signature of the release
(or, better, the releases' digest file, such as a `SHA256SUMS.asc` file)
along with the release itself
3. The downloads page itself should include a link to the documentation
page that describes how to do the above two steps
== Actual behavior: [What actually happened]
There's just literally no information on verifying downloads, and it
appears that it is not possible to do so.
== Versions
Everything, all versions. Plugins too.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/60871>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list