Gossamer WordPress Integration
At the end of this project, all updates to WordPress plugins and themes will be cryptographically signed by keys controlled by the developers.
This work is being tracked by Ticket #49200 in the WordPress Trac.
Integration cannot begin until the developer tools are complete.
Project Overview
| Project Component | Status |
|---|---|
| Code-Signing for Core Updates | Complete |
| Changes to the WordPress Infrastructure | Pending |
| WordPress Gossamer Server | Pending |
| WordPress Core Gossamer Patch | Pending |
Project Components
Code-Signing for Core Updates
Tracked in Ticket #39309, Paragon Initiative Enterprises delivered a pure-PHP polyfill of (most of) libsodium—called sodium_compat.
This was resolved in May 2019 (as of WordPress 5.2). If you're interested in the history of this project, read this page.
The remaining Gossamer work was not possible until this work was completed.
Status: COMPLETE
Changes to the WordPress Infrastructure
The WordPress update server will need to be updated to support Gossamer.
These changes include, in no particular order:
- Enabling Developers to manage their verification keys.
- Enabling Developers to upload signatures along with their .zip files.
- Pushing updates to the cryptographic ledger. (Message queue?)
- Including relevant ledger metadata in API responses.
Status: Pending
WordPress Gossamer Server
A rebuild of the Gossamer Server in WordPress. (Possibly as a plugin.)
This goal exists for two reasons:
- To enable teams and individuals that are only familiar with WordPress to operate and understand their own server for a federated trust configuration.
- API server implementation diversity.
Status: Pending
WordPress Core Gossamer Patch
The final stage of the WordPress integration project involves writing a patch to the WordPress core that configures and uses the Gossamer Client to authenticate theme and plugin updates.
Status: Pending