@mattab opened this Issue on March 2nd 2015 Owner

Follows up #6441

When we download the latest piwik release over HTTPS, we could also check that the PGP signature is valid.

Note: not sure how it would work or if it's even possible, but there you go

@taoeffect commented on March 2nd 2015

(Deleted my previous message, there's a better way.)

You can do verification with the openssl command. For example, here's how I manually verify Sparkle updates:

sparkleVerify() {
    ARCHIVE="$1"
    DSAPEM="$2"
    SIGB64="$3"
    # echo "Verifying $ARCHIVE signature $SIGB64 with key: $DSAPEM"
    SIGFILE=$(mktemp -t sig)
    echo -n "$SIGB64" | base64 -D > "$SIGFILE"
    openssl dgst -sha1 -binary "$ARCHIVE" | openssl dgst -dss1 -verify "$DSAPEM" -signature "$SIGFILE"
}
@taoeffect commented on March 2nd 2015

If you're curious as to how to actually create the keys and the signatures, look at how Sparkle does it. If you use this method then verification will work with the example I gave above.

@mattab commented on September 18th 2017 Owner

Checking PGP signatures in plugins downloaded from Marketplace is covered in https://github.com/piwik/piwik/issues/11909

Powered by GitHub Issue Mirror