From 45771f9f118befebd601af3632e5fbe03c7690c5 Mon Sep 17 00:00:00 2001
From: Alex Shiels <tellyworth@git.wordpress.org>
Date: Fri, 5 Apr 2019 05:19:15 +0000
Subject: [PATCH] Upgrade/Install: Add more context in signature verify
 failures.

This includes version numbers and signature counts in error reports, to help diagnose isolated failures that have no apparent cause.

Props dd32.
See #39309.


git-svn-id: https://develop.svn.wordpress.org/trunk@45112 602fd350-edb4-49c9-b593-d223f7449a82
---
 src/wp-admin/includes/file.php | 21 ++++++++++++++++-----
 1 file changed, 16 insertions(+), 5 deletions(-)

diff --git a/src/wp-admin/includes/file.php b/src/wp-admin/includes/file.php
index 3c245a2226..435f6572a4 100644
--- a/src/wp-admin/includes/file.php
+++ b/src/wp-admin/includes/file.php
@@ -1154,6 +1154,9 @@ function verify_file_signature( $filename, $signatures, $filename_for_errors = f
 				/* translators: 1: The filename of the package. */
 				__( 'The authenticity of %1$s could not be verified as no signature was found.' ),
 				'<span class="code">' . esc_html( $filename_for_errors ) . '</span>'
+			),
+			array(
+				'filename' => $filename_for_errors,
 			)
 		);
 	}
@@ -1163,11 +1166,14 @@ function verify_file_signature( $filename, $signatures, $filename_for_errors = f
 
 	mbstring_binary_safe_encoding();
 
+	$skipped_key = $skipped_signature = 0;
+
 	foreach ( (array) $signatures as $signature ) {
 		$signature_raw = base64_decode( $signature );
 
 		// Ensure only valid-length signatures are considered.
 		if ( SODIUM_CRYPTO_SIGN_BYTES !== strlen( $signature_raw ) ) {
+			$skipped_signature++;
 			continue;
 		}
 
@@ -1176,6 +1182,7 @@ function verify_file_signature( $filename, $signatures, $filename_for_errors = f
 
 			// Only pass valid public keys through.
 			if ( SODIUM_CRYPTO_SIGN_PUBLICKEYBYTES !== strlen( $key_raw ) ) {
+				$skipped_key++;
 				continue;
 			}
 
@@ -1197,10 +1204,14 @@ function verify_file_signature( $filename, $signatures, $filename_for_errors = f
 		),
 		// Error data helpful for debugging:
 		array(
-			'filename'   => $filename_for_errors,
-			'keys'       => $trusted_keys,
-			'signatures' => $signatures,
-			'hash'       => bin2hex( $file_hash ),
+			'filename'    => $filename_for_errors,
+			'keys'        => $trusted_keys,
+			'signatures'  => $signatures,
+			'hash'        => bin2hex( $file_hash ),
+			'skipped_key' => $skipped_key,
+			'skipped_sig' => $skipped_signature,
+			'php'         => phpversion(),
+			'sodium'      => defined( 'SODIUM_LIBRARY_VERSION' ) ? SODIUM_LIBRARY_VERSION : ( defined( 'ParagonIE_Sodium_Compat::VERSION_STRING' ) ? ParagonIE_Sodium_Compat::VERSION_STRING : false ),
 		)
 	);
 }
@@ -1210,7 +1221,7 @@ function verify_file_signature( $filename, $signatures, $filename_for_errors = f
  *
  * @since 5.2.0
  *
- * @return array List of hex-encoded Signing keys.
+ * @return array List of base64-encoded Signing keys.
  */
 function wp_trusted_keys() {
 	$trusted_keys = array();