[wp-meta] [Making WordPress.org] #7574: Sign releases (PGP, GPG)
Making WordPress.org
noreply at wordpress.org
Thu Apr 11 16:10:02 UTC 2024
#7574: Sign releases (PGP, GPG)
--------------------------------+--------------------
Reporter: maltfield | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone:
Component: WordPress.org Site | Keywords:
--------------------------------+--------------------
Currently it is not possible to verify the authenticity or cryptographic
integrity of the downloads from wordpress.org because the releases are not
cryptographically signed.
This makes it hard for wordpress admins to safely obtain the wordpress
software, and it introduces them (and potentially their customer's data)
to supply chain attacks.
= Steps to Reproduce
1. Go to the https://wordpress.org/download/ page
1. Search the page for "signature" or "verify" and see nothing
1. ???
1. Get confused and open ticket
= Expected behavior: [What you expected to happen]
A few things are expected:
1. I should be able to download the wordpress PGP key out-of-band from
popular third-party keyservers (eg https://keys.openpgp.org/)
1. I should be able to download a cryptographic signature of the release
(or, better, the releases' digest file, such as a SHA256SUMS.asc file)
along with the release itself
1. The downloads page itself should include a link to the documentation
page that describes how to do the above two steps
= Actual behavior: [What actually happened]
There's just literally no information on verifying downloads, and it
appears that it is not possible to do so.
Versions
Everything, all versions. Plugins too.
--
Ticket URL: <https://meta.trac.wordpress.org/ticket/7574>
Making WordPress.org <https://meta.trac.wordpress.org/>
Making WordPress.org
More information about the wp-meta
mailing list