Verify checksums for premium plugins

wp-cli / ideas

💡 Ideas and feature requests are collected here

40 stars 1 forks source link

Verify checksums for premium plugins #167

Open jasonblewis opened 2 years ago

jasonblewis commented 2 years ago

Feature Request

Describe your use case and the problem you are facing

When checking that no files have been corrupted using wp plugin verify-checksum --all it would be really nice if paid plugins were also checked. currently my output looks like this:

$ wp plugin verify-checksums --all
Warning: Could not retrieve the checksums for version 5.10.2 of plugin advanced-custom-fields-pro, skipping.
Warning: Could not retrieve the checksums for version 8.0.1.6 of plugin backupbuddy, skipping.
Warning: Could not retrieve the checksums for version 2.5.14 of plugin gravityforms, skipping.
Success: Verified 11 of 14 plugins (3 skipped).

Describe the solution you'd like

please provide a way for plugin makers to also have their checksums checked. ideally by registering an official set of checksums for the plugin and it's versions?

PS. I love wp cli. Such an awesome tool. thanks for making it.

schlessera commented 2 years ago

For this to work, we'd need either:

a secure way for plugin vendors to upload checksums to a central repository.
a secure way for WP-CLI to fetch checksums from plugin vendor's sites/endpoints.
a way for hosting premium plugins on the wordpress.org infrastructure.

For a basic implementation of scenarios 1. & 2., the checksums would fail one of their main purposes. As the checksums would originate from the same third-party as the actual download, you'd need to be able to verify that third-party itself. Otherwise, anyone could easily spoof such a third-party vendor and provide a malicious version of the plugin together with the matching checksums.

For scenario 3., wordpress.org would need to provide some way of enforcing licensing/download restrictions, otherwise most vendors would refuse to upload their premium plugins.

This is not something the WP-CLI project can easily solve, and needs to be discussed at the ecosystem level. However, realistically, I see little hope for this being prioritised anytime soon...

jasonblewis commented 2 years ago

@schlessera thanks for the clear explanation, and understood that it is an ecosystem level request that is unlikely to get priority any time soon. I'll just add that maybe a way for plug-in authors to cryptographically sign their plug-ins could be an approach?. No idea how this could work in practice but I'm just putting it out there as an idea.

danielbachhuber commented 1 year ago

I moved this issue to wp-cli/ideas with state:unlikely.

If the infrastructure for premium plugin checksums is ever produced, this is something we could consider.

Alternatively, someone could implement this as a third-party package.