[wp-trac] [WordPress Trac] #49200: Allow Developers to Cryptographically Sign Their Own Plugins/Themes with the Gossamer Public Key Infrastructure (PKI)

WordPress Trac noreply at wordpress.org
Thu Oct 15 10:50:35 UTC 2020 

#49200: Allow Developers to Cryptographically Sign Their Own Plugins/Themes with
the Gossamer Public Key Infrastructure (PKI)
------------------------------------------+------------------------------
 Reporter:  paragoninitiativeenterprises  |       Owner:  (none)
     Type:  enhancement                   |      Status:  new
 Priority:  normal                        |   Milestone:  Awaiting Review
Component:  Upgrade/Install               |     Version:  5.4
 Severity:  normal                        |  Resolution:
 Keywords:                                |     Focuses:
------------------------------------------+------------------------------

Comment (by paragoninitiativeenterprises):

 @pbiron Development has stalled due to other responsibilities and coping
 with the pandemic.

 Looking at our internal development roadmap, we have:

 * '''Done:''' libgossamer proof-of-concept
 * '''Done:''' gossamer-server proof-of-concept
 * TODO: gossamer-cli
 * TODO: Reimplement gossamer-server atop the WordPress REST API
 * TODO: Simulation package for verifying the efficacy of attack resilience
 across a small network of virtual hosts

 The gossamer-cli project will allow developers to publish actions to the
 Chronicle Server.

 However, there's '''even more''' that needs to be done on WordPress's end:

 1. We need to establish what the bar is for WordPress community trust, so
 we can ascertain if this work meets WP's bar or not. If not, what does PIE
 need to do in addition to what we've already done?
 2. WP needs to commit to a specific roadmap (5.7?), at which point in time
 all future updates will be signed.
 3. The WordPress backend infrastructure will need to be updated to support
 these changes.
 4. The WordPress core developer team will need to mint several Ed25519
 keypairs. It may be worthwhile to use something like AWS KMS for this
 (i.e. https://docs.aws.amazon.com/kms/latest/APIReference/API_Sign.html).
 However, AWS KMS currently doesn't support Ed25519, and we have no way of
 knowing if that's even on their roadmap or not. (If anyone believes it
 should be, and have an enterprise account, maybe open a feature request?)

 When we know the answer to the immediate questions in the ticket
 description, and complete our end of the development, the ball will be in
 the WP org's court.

 Note: If anyone wants to build the gossamer-server reimplementation atop
 WordPress's REST API as a plugin, that would help ease the adoption pains
 especially for hosting providers only familiar with WordPress code.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/49200#comment:8>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list