Download authenticity message has no actionability

[jipmoors]

Problem

While testing some upgrades of themes I noticed the following message:

The authenticity of twentynineteen.1.4.zip could not be verified as no signature was found.

As a user I have no idea what this means and more importantly, what I can do about it.

Proposed solution

Add more context about what it means, why it is a not a blocker (soft-fail) when this is the case.
This could be a page on WordPress.org or explained in-line.

Provide a context on where this should be solved, locally/server/WordPress.org

Expectations

I would have expected the theme update to be verified as it is downloaded from WordPress.org directly.

[SergeyBiryukov]

Related: #39309

[afercia]

Discussed during today's accessibility bug-scrub. Pinging @pento as the Upgrade/Install component maintainer.

Also relevant:
​https://wordpress.org/support/topic/5-2-1-update-authenticity-of-update-could-not-be-verified/

Copy could be improved here. The part The authenticity of twentynineteen.1.4.zip could not be verified is already a bit hard to get for non-tech-savvy users. Then, when it comes to signature, it's probably a bit too much technical :)

Pinging also @marybaum

[SergeyBiryukov]

#51428 was marked as a duplicate.

[SergeyBiryukov]

#47343 was marked as a duplicate.

[SergeyBiryukov]

#51672 was marked as a duplicate.

[bridgetwillard]

Happy to write copy, y'all. I'll need a bit more information.

What does it mean that the file wasn't verified?
What is the signature?
What is the solution?

Thanks.

[s0what]

Is this fixed now? Because I got this message when upgrading to 5.7
If this is not fixed, please remove the message!

[SergeyBiryukov]

#54495 was marked as a duplicate.

[rajinsharwar]

#58937 was marked as a duplicate.

[rajinsharwar]

My suggestion would be to add a message like "You can safely ignore" to the message until the feature is redesigned, or just completely remove until it's fully ready.

[audrasjb]

Hello there,

I'd like to suggest removing this message until the feature is ready to ship completely, since the "issue" (or rather the "non issue") is regularly pointed out by people on forums or during training sessions.

Worth noting that it would be nice to update the key and the related docblock in ​wp-admin/includes/file.php, too:

if ( time() < 1617235200 ) {
	// WordPress.org Key #1 - This key is only valid before April 1st, 2021.
	$trusted_keys[] = 'fRPyrxb/MvVLbdsYi+OOEv4xc+Eqpsj+kkAS6gNOkI0=';
}

Moving for 6.6 consideration.

[johnbillion]

The security team is in agreement that this message should be removed until software signing is fully implemented on wordpress.org.

[audrasjb]

Thanks for sharing this in the security team channel.
I'll make sure we have a patch ready to ship before beta 1.

https://core.trac.wordpress.org/ticket/47315

[audrasjb]

PR6648 disables package signature verification.

Alternatively, we can also just remove the WP_Error messages. What do you think @johnbillion?

[audrasjb]

Pinging @peterwilsoncc as well for second opinion on this changeset.

@audrasjb Is the intent to remove the signature warning just from themes and plugins or are you intending to remove it from Core too?

Core upgrades don't use the run method so if the intent is to remove the warning from there too I think this line will need changing too

​https://github.com/WordPress/wordpress-develop/blob/13b571eeacf5a71e23c80d9f1d6b5cb5114e14af/src/wp-admin/includes/class-core-upgrader.php#L124

Thanks @peterwilsoncc. I added a commit to also take Core into account.

[peterwilsoncc]

I've approved the ​linked pull request, marking this ready for commit.

It looks like the Core changes will need to be tested once they have made it to the nightly package but the plugin updates work as expected.

[audrasjb]

Committed in https://core.trac.wordpress.org/changeset/58319

Thanks for the review! Committted in https://core.trac.wordpress.org/changeset/58319