Sign releases (PGP, GPG)

[maltfield]

Currently it is not possible to verify the authenticity or cryptographic integrity of the downloads from wordpress.org because the releases are not cryptographically signed.

This makes it hard for wordpress admins to safely obtain the wordpress software, and it introduces them (and potentially their customer's data) to supply chain attacks.

Steps to Reproduce

1. Go to the ​https://wordpress.org/download/ page
2. Search the page for "signature" or "verify" and see nothing
3. ???
4. Get confused and open ticket

Expected behavior: [What you expected to happen]

A few things are expected:

1. I should be able to download the wordpress PGP key out-of-band from popular third-party keyservers (eg ​https://keys.openpgp.org/)
2. I should be able to download a cryptographic signature of the release (or, better, the releases' digest file, such as a SHA256SUMS.asc file) along with the release itself
3. The downloads page itself should include a link to the documentation page that describes how to do the above two steps

Actual behavior: [What actually happened]

There's just literally no information on verifying downloads, and it appears that it is not possible to do so.
Versions

Everything, all versions. Plugins too.

[maltfield]

I was instructed to create this ticket after opening a (now closed) ticket here

• ​https://core.trac.wordpress.org/ticket/60871

[maltfield]

I originally inquired about this on the wordpress support forums, but a moderator there sent be to the ticket system

• ​https://wordpress.org/support/topic/verify-cryptographic-authenticity-afte-downloading-releases-signatures/

[maltfield]

To see how this was implemented in a similar open source project, consider MediaWiki:

• ​https://www.mediawiki.org/wiki/Download#Signature_downloads

The download page for MediaWiki (see above) has a section titled "Signature downloads" which

1. Has a link for downloading the cryptographic signature of the latest release
2. Has a link for downloading the public keys that are used to sign the releases

This is not an ideal example, but it is a bare minimum that would satisfy this ticket.

[maltfield]

For best-practices in release signing with PGP, see also:

• ​https://infra.apache.org/release-signing
• ​https://docs.opendev.org/opendev/system-config/latest/signing.html
• ​https://wiki.debian.org/Subkeys
• ​https://riseup.net/en/security/message-security/openpgp/best-practices

[maltfield]

I see that wordpress provides hashes. Note that this does not provide authenticity (though it does provide integrity). One option to achieve authenticity would be to sign the hash file (as opposed to signing the release file directly), but this should only be done with a cryptographicailly secure hash function, and neither sha1 nor md5 are cryptographically secure hash functions.

So, if you wish to sign hashes, one option is to upload a file SHA256SUMS (with the sha256 hash of all the files uploaded for a given release) and sign that with a detached signature in a file named SH256SUMS.sign. The benefit here is that you only need one signature file for all files uploaded during a release. This is, in fact, how Debian and many Linux distributions sign their releases

• ​https://get.debian.org/images/archive/11.9.0/amd64/iso-dvd/

[dd32]

Hi @maltfield,

I apologise for the runaround you've had with reporting this.

This ticket is the centralised ticket for signing of WordPress.org packages:
​https://core.trac.wordpress.org/ticket/39309

The implementation work 5 years ago stalled due to technical limitations in the chosen direction (which were determined after initial implementation) and lack of a good solution at the time for the needs of WordPress (PGP and similar tools that are widely used by other platforms did not meet our needs).

To be blunt: We won't be implementing signing of releases, without that core support being present. The discussion of this can continue on the core ticket.