Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Verify checksums for premium plugins #167

Open
jasonblewis opened this issue Oct 27, 2021 · 3 comments
Open

Verify checksums for premium plugins #167

jasonblewis opened this issue Oct 27, 2021 · 3 comments
Labels
state:unlikely

Comments

@jasonblewis
Copy link

Feature Request

Describe your use case and the problem you are facing

When checking that no files have been corrupted using wp plugin verify-checksum --all it would be really nice if paid plugins were also checked. currently my output looks like this:

$ wp plugin verify-checksums --all
Warning: Could not retrieve the checksums for version 5.10.2 of plugin advanced-custom-fields-pro, skipping.
Warning: Could not retrieve the checksums for version 8.0.1.6 of plugin backupbuddy, skipping.
Warning: Could not retrieve the checksums for version 2.5.14 of plugin gravityforms, skipping.
Success: Verified 11 of 14 plugins (3 skipped).

Describe the solution you'd like

please provide a way for plugin makers to also have their checksums checked. ideally by registering an official set of checksums for the plugin and it's versions?

PS. I love wp cli. Such an awesome tool. thanks for making it.
@schlessera
Copy link
Member

For this to work, we'd need either:

  1. a secure way for plugin vendors to upload checksums to a central repository.
  2. a secure way for WP-CLI to fetch checksums from plugin vendor's sites/endpoints.
  3. a way for hosting premium plugins on the wordpress.org infrastructure.

For a basic implementation of scenarios 1. & 2., the checksums would fail one of their main purposes. As the checksums would originate from the same third-party as the actual download, you'd need to be able to verify that third-party itself. Otherwise, anyone could easily spoof such a third-party vendor and provide a malicious version of the plugin together with the matching checksums.

For scenario 3., wordpress.org would need to provide some way of enforcing licensing/download restrictions, otherwise most vendors would refuse to upload their premium plugins.

This is not something the WP-CLI project can easily solve, and needs to be discussed at the ecosystem level. However, realistically, I see little hope for this being prioritised anytime soon...

@jasonblewis
Copy link
Author

@schlessera thanks for the clear explanation, and understood that it is an ecosystem level request that is unlikely to get priority any time soon. I'll just add that maybe a way for plug-in authors to cryptographically sign their plug-ins could be an approach?. No idea how this could work in practice but I'm just putting it out there as an idea.

@danielbachhuber danielbachhuber transferred this issue from wp-cli/extension-command Jul 28, 2022
@danielbachhuber danielbachhuber changed the title please provide a way for wp plugin verify-checksums to verify paid plugins Verify checksums for premium plugins Jul 28, 2022
@danielbachhuber
Copy link
Member

I moved this issue to wp-cli/ideas with state:unlikely.

If the infrastructure for premium plugin checksums is ever produced, this is something we could consider.

Alternatively, someone could implement this as a third-party package.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
state:unlikely
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@danielbachhuber @schlessera @jasonblewis