In 2016, WordFence published their findings of a vulnerability that could have compromised the servers that are used to send out WordPress updates. It turned out to be a complex, obscure vulnerability that ignited a conversation surrounding the security of api.wordpress.org and what could happen if the servers were compromised.
One idea that was brought forth is to digitally sign WordPress core, theme, and plugin updates. For at least five years, a trac ticket has laid semi-dormant with this idea in mind.
Fifteen months ago, Scott Arciszewski, Chief Development Officer for Paragon Initiative Enterprises, who is most widely known for his cryptography engineering work, published an article that has since been taken down, expressing his strong desire for Matt Mullenweg to make secure cryptographic signatures a priority. Mullenweg responded to his post with one of his own stating that although WordPress update signing is important, it’s not a high priority.
“We will at some point; as said above it’s a good idea — can’t hurt, might help,” Mullenweg responded when asked if WordPress was ever going to do update signing. “There are, however, some more important security issues in front of it, that impact millions of sites in the real world, so we are prioritizing those issues above a nice-to-have, defense in-depth effort.”
Eric Mann Launches Secure WordPress Updates Plugin
While WordPress does not digitally sign updates, Eric Mann, founder of Displace Technologies, LLC, has created and released a new plugin that adds code signing to WordPress core updates. It’s called DGXPCO or Digital Guarantees for eXplicitly Permitted Core Operations. You’ll find it on the plugin directory by searching for DGXPCO.
When installed and activated, the plugin integrates with the core updater and requires that any core update must have a valid signature before it can be installed. The signature provides a secondary source of truth that confirms the integrity of the files. The signatures are created using a Ed25519 public/private keypair and Libsodium to sign the files’ contents.
Mann keeps the private key offline and has published the public key online. The public key will not change and if a core update is signed by a different key, it is a red flag and the update should be avoided. In addition, commits made to the release hashes repository on GitHub are signed with Mann’s PGP key to verify that he is the one who added new code.
Mann admits that the solution is not fool-proof and is working towards improving it. In future versions, the plugin will only notify the user of a WordPress core update if a digital signature is available. Plugins and themes are on the roadmap as well with the ability to opt-in.
Although he is the only person allowed to digitally sign packages, the model is not sustainable.
“As I prove out the update system, I’ll also begin adding sets of public keys that are scoped to specific sets of packages,” Mann said. “This will, for example, allow me to whitelist a small number of trusted developers to also sign core packages. It might also empower plugin developers to sign their own releases (but not anyone else’s).”
Mann is seeking feedback and is hoping the project provides evidence that something like it can be added to WordPress core.