matomo icon indicating copy to clipboard operation
matomo copied to clipboard
verified publisher icon matomo-org

When downloading latest Piwik core release, check the PGP signature

Open mattab opened this issue 10 years ago • 5 comments

Follows up #6441

When we download the latest piwik release over HTTPS, we could also check that the PGP signature is valid.

Note: not sure how it would work or if it's even possible, but there you go

mattab avatar Mar 02 '15 06:03 mattab

(Deleted my previous message, there's a better way.)

You can do verification with the openssl command. For example, here's how I manually verify Sparkle updates:

sparkleVerify() {
    ARCHIVE="$1"
    DSAPEM="$2"
    SIGB64="$3"
    # echo "Verifying $ARCHIVE signature $SIGB64 with key: $DSAPEM"
    SIGFILE=$(mktemp -t sig)
    echo -n "$SIGB64" | base64 -D > "$SIGFILE"
    openssl dgst -sha1 -binary "$ARCHIVE" | openssl dgst -dss1 -verify "$DSAPEM" -signature "$SIGFILE"
}

taoeffect avatar Mar 02 '15 06:03 taoeffect

If you're curious as to how to actually create the keys and the signatures, look at how Sparkle does it. If you use this method then verification will work with the example I gave above.

taoeffect avatar Mar 02 '15 07:03 taoeffect

Checking PGP signatures in plugins downloaded from Marketplace is covered in https://github.com/piwik/piwik/issues/11909

mattab avatar Sep 18 '17 02:09 mattab

See also details on how WP does it: https://paragonie.com/blog/2019/05/wordpress-5-2-mitigating-supply-chain-attacks-against-33-internet

mattab avatar May 15 '19 08:05 mattab

The remaining task is to add instructions on the Download Page : "How to verify PGP/GPG signature", which is covered in #10687 . Therefore, this ticket will now be closed.

randy-innocraft avatar Aug 14 '24 22:08 randy-innocraft