Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

When downloading latest Piwik core release, check the PGP signature #7328

Open
mattab opened this issue Mar 2, 2015 · 4 comments
Open

When downloading latest Piwik core release, check the PGP signature #7328

mattab opened this issue Mar 2, 2015 · 4 comments
Labels
c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. Task Indicates an issue is neither a feature nor a bug and it's purely a "technical" change.
Milestone
Backlog (Help wan...

Comments

@mattab
Copy link
Member

mattab commented Mar 2, 2015

Follows up #6441

When we download the latest piwik release over HTTPS, we could also check that the PGP signature is valid.

Note: not sure how it would work or if it's even possible, but there you go
@mattab mattab added the Task Indicates an issue is neither a feature nor a bug and it's purely a "technical" change. label Mar 2, 2015
@mattab mattab added this to the Long term milestone Mar 2, 2015
@mattab mattab mentioned this issue Mar 2, 2015
Closed
@taoeffect
Copy link

(Deleted my previous message, there's a better way.)

You can do verification with the openssl command. For example, here's how I manually verify Sparkle updates:

sparkleVerify() {
    ARCHIVE="$1"
    DSAPEM="$2"
    SIGB64="$3"
    # echo "Verifying $ARCHIVE signature $SIGB64 with key: $DSAPEM"
    SIGFILE=$(mktemp -t sig)
    echo -n "$SIGB64" | base64 -D > "$SIGFILE"
    openssl dgst -sha1 -binary "$ARCHIVE" | openssl dgst -dss1 -verify "$DSAPEM" -signature "$SIGFILE"
}

@taoeffect
Copy link

If you're curious as to how to actually create the keys and the signatures, look at how Sparkle does it. If you use this method then verification will work with the example I gave above.

@mattab mattab modified the milestones: Long term, Mid term Dec 23, 2015
@mattab mattab modified the milestones: Long term, Mid term Dec 5, 2016
@mattab mattab added the c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. label Aug 2, 2017
@mattab mattab mentioned this issue Aug 2, 2017
Open
@mattab
Copy link
Member Author

mattab commented Sep 18, 2017

Checking PGP signatures in plugins downloaded from Marketplace is covered in #11909

@mattab mattab changed the title When downloading latest release, check the PGP signature When downloading latest Piwik core release, check the PGP signature Sep 18, 2017
@mattab
Copy link
Member Author

mattab commented May 15, 2019

See also details on how WP does it: https://paragonie.com/blog/2019/05/wordpress-5-2-mitigating-supply-chain-attacks-against-33-internet

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. Task Indicates an issue is neither a feature nor a bug and it's purely a "technical" change.
Projects
None yet
Milestone
Backlog (Help wanted)
Development

No branches or pull requests
2 participants
@taoeffect @mattab