Plugin certification / code signature / trusted vendors / plugin store

[danielmarschall]

A few ideas regarding third-party plugins.

• Plugin certification: Receive some kind of code-signing certificate from ViaThinkSoft if the plugin passed various compatibility tests, similar to the Microsoft Hardware Qualification Certificate for drivers.
• Plugin store (app store) for plugins. Maybe let the plugins be installed and uninstalled via GUI from the administrator login area.
• Code signature: Some kind of X.509 certificate that signs all PHP file and resources?
• Trusted vendor: Selected/well-known/certified people from Packagist, GitHub, etc. could be "trusted vendors", i.e. if a plugin comes from their GitHub/Packagist/... repository, then it is automatically trusted, even without code-signature. We assume that "GitHub account is hacked" and "Code signing key is stolen" is equal risk.

Ideas how to do the code-signature? Maybe a checksum TXT file (like we currently have in our system-integrity-plugin) and sign it using PGP or even X.509 with Code Signature EKU?

Which tasks can be done by @wehowski IO4/Bridge plugin? (What does IO4 stand for?)

[danielmarschall]

Note: It is important that OIDplus and all of its features must stay functional even in case ViaThinkSoft or frdlweb would become defunct. So, all server-side software should be open source (so that everybody could replace the ViaThinkSoft/frdlweb server) and the X.509 certificate authority should not rely on ViaThinkSoft, instead on publicly trusted Root CA. However, it is okay if ViaThinkSoft becomes an additional Root CA for the usage of plugin code signing.

[wehowski]

Which tasks can be done by @wehowski IO4/Bridge plugin? (What does IO4 stand for?)

io4 steht für Schnittstellen, z.B. statt zwei Plugins für zwei Systeme soll z.B. EINE Schnittstelle/Package/Service mit verschiedenen Systemen verbunden sein. Könnte man übersetzen mit "interoperable for..." . Beispiele:

• Composer-GUI und OIDplus https://github.com/frdl/oiplus-composer-plugin
• RDAP-Server Schnittstellen
• Config-Sources/Shared-Data
• Brücken von und zu OIDplus mit anderer Software/Libs
• ...

I will add more documentation and updates as soon as possible...!

Plugin store (app store) for plugins This functionality is built in composer already! You can (by packagist:false repo config) force composer to only install packages listed in a trusted repository, e.g. a packagist repository like https://pkg.dev.frdl.de/organization/oidplus-plugins/package .

Code Signature... Ehrlich gesagt da habe ich keine besonderen Erfahrungen mit oder viel Ahnung von. Generell würde ich empfehlen möglichst wenige selbst zu bauen und die vorhanden Standards zu verwenden. Da kenne ich mich nicht viel aus und muss selber erst googeln... Könnte mit vorstellen das es ein overhead erzeugt jede einzelne Datei zu behandeln/signieren, zudem wenn der User die Dateien bearbeitet ...!? Im Prinzip ist das eher wichtig für zips/downloads/installs ob der code signiert ist?

...