{"id":31544554,"url":"https://github.com/cloudfest/signed-autoupdate","last_synced_at":"2025-10-04T13:47:50.585Z","repository":{"id":57050507,"uuid":"124667195","full_name":"Cloudfest/signed-autoupdate","owner":"Cloudfest","description":"[Hackathon Demo] A simple way to sign packages/plugins/themes/modules","archived":false,"fork":false,"pushed_at":"2018-03-11T17:44:08.000Z","size":1125,"stargazers_count":4,"open_issues_count":0,"forks_count":1,"subscribers_count":4,"default_branch":"master","last_synced_at":"2024-11-15T03:04:45.572Z","etag":null,"topics":["autoupdate","modules","plugins","sign","verify","wordpress"],"latest_commit_sha":null,"homepage":"https://www.cloudfest.com/hackathon","language":"PHP","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Cloudfest.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2018-03-10T15:13:08.000Z","updated_at":"2018-03-13T09:01:39.000Z","dependencies_parsed_at":"2022-08-23T17:50:29.677Z","dependency_job_id":null,"html_url":"https://github.com/Cloudfest/signed-autoupdate","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/Cloudfest/signed-autoupdate","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Cloudfest%2Fsigned-autoupdate","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Cloudfest%2Fsigned-autoupdate/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Cloudfest%2Fsigned-autoupdate/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Cloudfest%2Fsigned-autoupdate/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Cloudfest","download_url":"https://codeload.github.com/Cloudfest/signed-autoupdate/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Cloudfest%2Fsigned-autoupdate/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":278322187,"owners_count":25967873,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-04T02:00:05.491Z","response_time":63,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["autoupdate","modules","plugins","sign","verify","wordpress"],"created_at":"2025-10-04T13:47:49.017Z","updated_at":"2025-10-04T13:47:50.575Z","avatar_url":"https://github.com/Cloudfest.png","language":"PHP","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Signed Autoupdate\n\n## Description\n\nProject was created on cloudfest hackathon for prototyping a signed transfer of plugin packages from developer to users. The project constists of:\n\n- [CLI](#cli) (Tool for creation of keys and signature)\n- [Client Implementation](#client-implementation) (A library to verify a package)\n- [WordPress Plugin](#wordpress-plugin) (A Demo plugin having the signature checks and public key management demonstrated)\n- [WordPress Test Environment](#wordpress-test-environment) (a docker based setup for developing or showing the plugin)\n\nFor testing purposes the WordPress Plugin: simple-cocomments was enhanced with .well-known/* information needed for the demonstration of signature / public key signed packing.\n\n## Libs\n\n### CLI\n\nThe CLI helps you to generate a keypair, to sign a package and to verify you signed package.\n\n#### Commands\n\n##### `generator:generate`\n\nTo generate a new keypair run:\n\n```bash\n$ signer.phar generator:generate [\u003cpath\u003e]\n```\n\nto get the complete list of parameters use:\n\n```bash\n$ signer.phar generator:generate --help\n```\n\n##### `signer:sign`\n\nTo sign a package, navigate to the package folder and run:\n\n```bash\n$ signer.phar signer:sign [options] [--] \u003cpath\u003e \u003ckey\u003e\n```\n\nto get the complete list of parameters use:\n\n```bash\n$ signer.phar signer:sign --help\n```\n\n##### `signer:sign`\n\nTo verify a signed package, run:\n\n```bash\n$ signer.phar verifier:verify [\u003csignature\u003e] [\u003ckey\u003e] [\u003clist\u003e]\n```\n\nto get the complete list of parameters use:\n\n```bash\n$ signer.phar verifier:verify --help\n```\n\n#### Build phar package\n\nTo build a new `.phar` package, you have to install [box](https://github.com/box-project/box2#as-a-global-composer-install) and run\n\n```bash\n$ box build -v\n```\n\nin the root of the `cli` folder.\n\n#### Screens\n\n![Package List View](doc/well-known.png)\n\n### Client Implementation\n\nInstallation via Composer\n```bash\ncomposer require signed-autoupdate/signed-autoupdate\n```\n\nClient Implementation is straightforward you need only your download package in zip format as well as your pre-installed Public Key.\n\nUsage example:\n```php\ninclude_once __DIR__ . '/vendor/autoload.php';\n\n$public_key = hex2bin('\u003cPublic Key\u003e');\n$update = new Update('https://example.com/update.zip',__DIR__.'/update-deploy',$public_key);\n```\nIf the signature fails, the number of files in the update package is off or the file hashes don't match the update will not be processed and the zip file will be discarded.\n\n### WordPress Plugin\n\n#### Description\n\nPlugin will inject via add_filter into the download process of a plugin and checks for existence of some files. If\nsignatures existing it will try to verify the files signatures. The plugin also allows deletion and editing of public\nkeys.\n\nSo:\n\n- will check for existence of: .well-known/signature.txt, .well-known/publickey.txt, .well-known/list.json\n- if existing:\n  - and public key is new, stores to trusted store\n  - and public key is old, checks against public key the same\n  - will block update if not the same keys\n  - will verify with signature, public key and the list.json if the package is valid\n- the SAU Signatures shows already known signatures for editing / deletion\n\n\n#### Screens\n\n![Package List View](doc/package-list-view.png)\n![New Key Add During First Install](doc/new-key-found.png)\n![Reject Installation on Error](doc/installation-rejected-key-mismatch.png)\n\n\n### WordPress Test Environment\n\n#### Description\n\nThe WordPress Test Environment was the idea for a one liner setup of the whole demonstration. Just execute ./do-it.sh , it will clone latest WordPress github, this repository, setup an apache with php7.2, a mysql container for the database. Uses wp-cli for setting up the wordpress with test123/test123 username on http://localhost:8091 .\n\nFor more info look into webserver/Dockerfile, docker-compose.yml and do-it.sh shell script.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcloudfest%2Fsigned-autoupdate","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcloudfest%2Fsigned-autoupdate","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcloudfest%2Fsigned-autoupdate/lists"}