Add code signing to the Piwik Plugin upgrade process #11909
Labels
c: Security
For issues that make Matomo more secure. Please report issues through HackerOne and not in Github.
Milestone
Comments
|
Thanks for the suggestion. Yes, it would be great to implement the code signing verification mechanism when downloading plugins from the Marketplace. And we also should implement this code signing mechanism when downloading the Piwik core platform via the auto-update mechanism. Note: currently, the code signing is not checked, we only download the upgrade over HTTPS. Code signing procedure has to be done manually by the users who know about it. We would like to implement this as part of #7328 |
mattab
added
the
c: Security
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Recently I have been looking into the security implications of automatically upgrading Piwik and whilst the Piwik Core is verified using a GPG key, the plugins get no such verification. As a result, an malicious party gaining access to the plugin server could replace latest plugin versions with malicious version with no verification.
The inclusions of libsodium in PHP 7.2 makes this easier. And there are pure-PHP libraries that are supported back to PHP 5. A similar issue was raised for WordPress, however it was postponed due to other priorities.
My understanding is that Piwik already implements auto-updates for it's plugins and as such any attack on the Piwik plugin infrastructure could potentially expose a large number of systems to malicious code.
There is a respectable guide(also linked in that WordPress issue) here on implementing upgrades for PHP.
The text was updated successfully, but these errors were encountered: