Improve upgrade process

[kildom]

Create a new orphan branch releases containing release information. It will have following files:

• info.json - information about newest release and certificates:
  • newest version number,
  • hash of the newest release,
  • file name of the script,
  • hash of the cacert.pem file,
  • extracted cacert needed only to get this information (github cacert),
  • signature of this file
• wp_downlaoder.php
• cacert.pem
• README.md

If this will be implemented, following thinks can be removed from the source code:

• downloading cacert.pem from curl.se and embedding its url/hash during the build.
• prevention from downgrading, because update will always get latest version. It will be ensured by the following steps.

Reading release information consist of following steps:

• download info.json
• verify a signature
• if HTTPS verification was not possible above:
  • apply extracted cacert from info.json
  • repeat from the beginning

Action running on schedule will (following step should also be in the release action):

• download new cacert file only if .sha1 file contains different hash than in json, else use cacert from the last commit,
• extract certificates needed by github from cacert,
• create a new commit in releases branch if something was updated.

[kildom]

Extracting certificate only for github from cacert.pem:

function get_url($url, $cert) {
    $ch = curl_init($url);
    curl_setopt($ch, CURLOPT_USERAGENT, "WordPress Downloader PHP script");
    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
    curl_setopt($ch, CURLOPT_CAINFO, __DIR__ . "/" . $cert);
    curl_setopt($ch, CURLOPT_CAPATH, __DIR__ . "/empty");
    curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
    curl_setopt($ch, CURLOPT_MAXREDIRS, 10);
    curl_setopt($ch, CURLOPT_HEADER, 0);
    curl_setopt($ch, CURLOPT_CERTINFO, 1);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
    $res = curl_exec($ch);
    if (curl_error($ch)) {
        echo("\n" . curl_error($ch) . "\n");
        $res = false;
    } else {
        $status = curl_getinfo($ch, CURLINFO_HTTP_CODE);
        if ($status != 200) {
            echo("\nHTTP status code: $status\n");
            $res = false;
        }
    }
    if ($res !== false) {
        $res = curl_getinfo($ch, CURLINFO_CERTINFO);
    }
    curl_close($ch);
    return $res;
}

$list = get_url('https://raw.githubusercontent.com/kildom/wp_downloader/main/test.js', 'cacert.pem');
$certs = array();
foreach ($list as $c) {
    $x = openssl_x509_parse($c['Cert']);
    $x['-'] = $c['Cert'];
    $x['-in-cacert'] = false;
    array_push($certs, $x);
}

$list = file_get_contents('cacert.pem');
preg_match_all('/-----BEGIN CERTIFICATE-----.*?-----END CERTIFICATE-----/ms', $list, $m);
$cacerts = array();
foreach ($m[0] as $c) {
    $x = openssl_x509_parse($c);
    $x['-'] = $c;
    $x['-in-cacert'] = true;
    array_push($cacerts, $x);
}

$all = array_merge($certs, $cacerts);

function parseKeyIdentifier($key, $force) {
    $key = trim($key);
    $key = strtoupper(trim(preg_replace('/keyid\s*:?/i', '', $key)));
    if ($key == '' && $force) {
        echo('Invalid key!');
        exit(1);
    }
    return $key;
}

function find_root($c) {
    global $all;
    $subject = parseKeyIdentifier($c['extensions']['subjectKeyIdentifier'], true);
    $authority = parseKeyIdentifier($c['extensions']['authorityKeyIdentifier'], true);
    if ($c['-in-cacert']) {
        return $c;
    }
    foreach ($all as $cc) {
        $s = parseKeyIdentifier($cc['extensions']['subjectKeyIdentifier'], false);
        if ($s == $authority) {
            return find_root($cc);
        }
    }
    echo("Cannot find root for $subject!");
    exit(1);
}

$roots = array();

foreach ($certs as $c) {
    $r = find_root($c);
    $rs = parseKeyIdentifier($r['extensions']['subjectKeyIdentifier'], true);
    $roots[$rs] = $r;
}

$pem = '';
foreach ($roots as $root) {
    $pem .= trim($root['-']) . "\n\n";
}

file_put_contents('temp.pem', $pem);

$test = get_url('https://raw.githubusercontent.com/kildom/wp_downloader/main/test.js', 'temp.pem');
if ($test) {
    echo($pem);
} else {
    echo("Extracted certificate is invalid\n");
    exit(1);
}

[kildom]

Signing JSON:

$data['signature'] = '---SIGNATURE---';
$data = json_encode($data, JSON_PRETTY_PRINT);
$data = str_replace('---SIGNATURE---', sign($data), $data);

Verify JSON:

$file = '...';
$data = json_decode($file);
$file = str_replace($data['signature'], '---SIGNATURE---', $file);
verify($data['signature'], $file);

[kildom]

With this following levels of cacert workarounds can be used:

• level 0 - use system cacerts
• level 1 - securly download from github release branch
• level 2 - use downloaded from github cacerts to download newest from curl.se

[kildom]

Done in v0.0.5