Gossamer WordPress Integration

At the end of this project, all updates to WordPress plugins and themes will be cryptographically signed by keys controlled by the developers.

This work is being tracked by Ticket #49200 in the WordPress Trac.

Integration cannot begin until the developer tools are complete.

Project Overview

Project Component Status
Code-Signing for Core Updates Complete
Changes to the WordPress Infrastructure Pending
WordPress Gossamer Server Pending
WordPress Core Gossamer Patch Pending

Project Components

Code-Signing for Core Updates

Tracked in Ticket #39309, Paragon Initiative Enterprises delivered a pure-PHP polyfill of (most of) libsodium—called sodium_compat.

This was resolved in May 2019 (as of WordPress 5.2). If you're interested in the history of this project, read this page.

The remaining Gossamer work was not possible until this work was completed.


Changes to the WordPress Infrastructure

The WordPress update server will need to be updated to support Gossamer.

These changes include, in no particular order:

Status: Pending

WordPress Gossamer Server

A rebuild of the Gossamer Server in WordPress. (Possibly as a plugin.)

This goal exists for two reasons:

  1. To enable teams and individuals that are only familiar with WordPress to operate and understand their own server for a federated trust configuration.
  2. API server implementation diversity.

Status: Pending

WordPress Core Gossamer Patch

The final stage of the WordPress integration project involves writing a patch to the WordPress core that configures and uses the Gossamer Client to authenticate theme and plugin updates.

Status: Pending