Add code signing to the Piwik Plugin upgrade process #11909
Labels
c: Security
For issues that make Matomo more secure. Please report issues through HackerOne and not in Github.
Milestone
Recently I have been looking into the security implications of automatically upgrading Piwik and whilst the Piwik Core is verified using a GPG key, the plugins get no such verification. As a result, an malicious party gaining access to the plugin server could replace latest plugin versions with malicious version with no verification.
The inclusions of libsodium in PHP 7.2 makes this easier. And there are pure-PHP libraries that are supported back to PHP 5. A similar issue was raised for WordPress, however it was postponed due to other priorities.
My understanding is that Piwik already implements auto-updates for it's plugins and as such any attack on the Piwik plugin infrastructure could potentially expose a large number of systems to malicious code.
There is a respectable guide(also linked in that WordPress issue) here on implementing upgrades for PHP.
The text was updated successfully, but these errors were encountered: