[wp-trac] [WordPress Trac] #58937: .sig missing for plugin-zip signature validation
WordPress Trac
noreply at wordpress.org
Sat Jul 29 22:52:39 UTC 2023
#58937: .sig missing for plugin-zip signature validation
--------------------------+-----------------------------
Reporter: threadi | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Plugins | Version:
Severity: minor | Keywords:
Focuses: |
--------------------------+-----------------------------
Running
{{{
wp plugin install akismet
}}}
results in:
{{{
Installing Akismet Anti-Spam: Spam Protection (5.2)
Downloading installation package from
https://downloads.wordpress.org/plugin/akismet.5.2.zip...
The authenticity of akismet.5.2.zip could not be verified as no signature
was found.
Unpacking the package...
Installing the plugin...
Plugin installed successfully.
Success: Installed 1 of 1 plugins.
}}}
The part "could not be verified as no signature was found" is an output
from here:
https://github.com/WordPress/WordPress/blob/6.2-branch/wp-
admin/includes/file.php#L1445
Reason is that here
https://github.com/WordPress/WordPress/blob/6.2-branch/wp-
admin/includes/file.php#L1271
we try to download a .sig-file of the requested plugin which does not
exist on ''downloads.wordpress.org''.
Examples:
https://downloads.wordpress.org/plugin/akismet.5.2.zip.sig
https://downloads.wordpress.org/plugin/woocommerce.7.9.0.zip.sig
.. and also many others. I could not find any .sig-file for any plugin
atm.
Is there any reason this .sig-files are not created on wordpress.org for
each plugin?
I'm unsure if this is a core- or a meta-question :-)
Tried with:
* WordPress 6.2.2 and 6.3-rc2
* without any active plugins
* with TwentyTwentyOne as theme
Hint: the message is only visible with WP_DEBUG = true.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/58937>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list