Gossamer WordPress Integration
At the end of this project, all updates to WordPress plugins and themes will be cryptographically signed by keys controlled by the developers.
This work is being tracked by Ticket #49200 in the WordPress Trac.
Integration cannot begin until the developer tools are complete.
|Code-Signing for Core Updates||Complete|
|Changes to the WordPress Infrastructure||Pending|
|WordPress Gossamer Server||Pending|
|WordPress Core Gossamer Patch||Pending|
Code-Signing for Core Updates
The remaining Gossamer work was not possible until this work was completed.
Changes to the WordPress Infrastructure
The WordPress update server will need to be updated to support Gossamer.
These changes include, in no particular order:
- Enabling Developers to manage their verification keys.
- Enabling Developers to upload signatures along with their .zip files.
- Pushing updates to the cryptographic ledger. (Message queue?)
- Including relevant ledger metadata in API responses.
WordPress Gossamer Server
A rebuild of the Gossamer Server in WordPress. (Possibly as a plugin.)
This goal exists for two reasons:
- To enable teams and individuals that are only familiar with WordPress to operate and understand their own server for a federated trust configuration.
- API server implementation diversity.
WordPress Core Gossamer Patch
The final stage of the WordPress integration project involves writing a patch to the WordPress core that configures and uses the Gossamer Client to authenticate theme and plugin updates.