Sign releases (PGP, GPG)

[maltfield]

Currently it is not possible to verify the authenticity or cryptographic integrity of the downloads from wordpress.org because the releases are not cryptographically signed.

This makes it hard for wordpress admins to safely obtain the wordpress software, and it introduces them (and potentially their customer's data) to supply chain attacks.

Steps to Reproduce

1. Go to the ​https://wordpress.org/download/ page
2. Search the page for "signature" or "verify" and see nothing
3. ???
4. Get confused and open ticket

Expected behavior: [What you expected to happen]

A few things are expected:

1. I should be able to download the wordpress PGP key out-of-band from popular third-party keyservers (eg ​https://keys.openpgp.org/)
2. I should be able to download a cryptographic signature of the release (or, better, the releases' digest file, such as a SHA256SUMS.asc file) along with the release itself
3. The downloads page itself should include a link to the documentation page that describes how to do the above two steps

Actual behavior: [What actually happened]

There's just literally no information on verifying downloads, and it appears that it is not possible to do so.

Versions

Everything, all versions. Plugins too.

[maltfield]

I originally inquired about this on the wordpress support forums, but a moderator there sent be to the ticket system (here)

• ​https://wordpress.org/support/topic/verify-cryptographic-authenticity-afte-downloading-releases-signatures/

[maltfield]

To see how this was implemented in a similar open source project, consider MediaWiki:

• ​https://www.mediawiki.org/wiki/Download#Signature_downloads

The download page for MediaWiki (see above) has a section titled "Signature downloads" which

1. Has a link for downloading the cryptographic signature of the latest release
2. Has a link for downloading the public keys that are used to sign the releases

This is not an ideal example, but it is a bare minimum that would satisfy this ticket.

[maltfield]

For best-practices in release signing with PGP, see also:

1. ​https://infra.apache.org/release-signing
2. ​https://docs.opendev.org/opendev/system-config/latest/signing.html
3. ​https://wiki.debian.org/Subkeys
4. ​https://riseup.net/en/security/message-security/openpgp/best-practices

[chesio]

@maltfield These issues have been already discussed in #39309 (for WordPress core) and #49200 (for plugins), however there has been no progress for years now...

[maltfield]

@chesio to be clear, this issue is very different from #39309.

The ask in #39309 requires updating the wordpress code to verify updates in-app. That's a very difficult thing to do, and it's no surprise that it's taken years.

The ask in this ticket requires no code changes. It's a process change that only requires a human to issue a gpg command to create a signature file and upload it along with the release when a release is created.

This is low-hanging fruit that can drastically increase the security of wordpress installs with very minimal effort.

[chesio]

@maltfield I see now. When reading your request I got immediately reminded about that old issue and consequently I misunderstood what you actually request here.

As far as I can tell, WordPress.org already offers MD5 and SHA1 hashes for verification of downloaded archive files - see: ​https://wordpress.org/download/releases/

If you would like to have cryptographic signatures available as well, then you should raise your concerns in Trac repository for WordPress.org (the website): ​https://meta.trac.wordpress.org/ This Trac repository is for WordPress core (the software).

[maltfield]

ok, I opened a a new ticket to replace this one here:

• ​https://meta.trac.wordpress.org/ticket/7574

[dd32]

I recognise that this and #39309 are intended differently; but it's close enough that the discussion can continue there.