[wp-trac] [WordPress Trac] #60871: Sign releases (PGP, GPG)
WordPress Trac
noreply at wordpress.org
Wed Apr 10 18:52:37 UTC 2024
#60871: Sign releases (PGP, GPG)
--------------------------+------------------------------
Reporter: maltfield | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: General | Version:
Severity: normal | Resolution:
Keywords: | Focuses:
--------------------------+------------------------------
Comment (by maltfield):
@chesio to be clear, this issue is very different from #39309.
The ask in #39309 requires updating the wordpress code to verify updates
in-app. That's a very difficult thing to do, and it's no surprise that
it's taken years.
The ask in this ticket requires no code changes. It's a process change
that only requires a human to issue a `gpg` command to create a signature
file and upload it along with the release when a release is created.
This is low-hanging fruit that can drastically increase the security of
wordpress installs with very minimal effort.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/60871#comment:5>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list