Upgrade/Install: Add more context in signature verify failures.

This includes version numbers and signature counts in error reports, to help diagnose isolated failures that have no apparent cause.

Props dd32.
See #39309.


git-svn-id: https://develop.svn.wordpress.org/trunk@45112 602fd350-edb4-49c9-b593-d223f7449a82
This commit is contained in:
Alex Shiels 2019-04-05 05:19:15 +00:00
parent 9945849317
commit 45771f9f11

View File

@ -1154,6 +1154,9 @@ function verify_file_signature( $filename, $signatures, $filename_for_errors = f
/* translators: 1: The filename of the package. */
__( 'The authenticity of %1$s could not be verified as no signature was found.' ),
'<span class="code">' . esc_html( $filename_for_errors ) . '</span>'
),
array(
'filename' => $filename_for_errors,
)
);
}
@ -1163,11 +1166,14 @@ function verify_file_signature( $filename, $signatures, $filename_for_errors = f
mbstring_binary_safe_encoding();
$skipped_key = $skipped_signature = 0;
foreach ( (array) $signatures as $signature ) {
$signature_raw = base64_decode( $signature );
// Ensure only valid-length signatures are considered.
if ( SODIUM_CRYPTO_SIGN_BYTES !== strlen( $signature_raw ) ) {
$skipped_signature++;
continue;
}
@ -1176,6 +1182,7 @@ function verify_file_signature( $filename, $signatures, $filename_for_errors = f
// Only pass valid public keys through.
if ( SODIUM_CRYPTO_SIGN_PUBLICKEYBYTES !== strlen( $key_raw ) ) {
$skipped_key++;
continue;
}
@ -1201,6 +1208,10 @@ function verify_file_signature( $filename, $signatures, $filename_for_errors = f
'keys' => $trusted_keys,
'signatures' => $signatures,
'hash' => bin2hex( $file_hash ),
'skipped_key' => $skipped_key,
'skipped_sig' => $skipped_signature,
'php' => phpversion(),
'sodium' => defined( 'SODIUM_LIBRARY_VERSION' ) ? SODIUM_LIBRARY_VERSION : ( defined( 'ParagonIE_Sodium_Compat::VERSION_STRING' ) ? ParagonIE_Sodium_Compat::VERSION_STRING : false ),
)
);
}
@ -1210,7 +1221,7 @@ function verify_file_signature( $filename, $signatures, $filename_for_errors = f
*
* @since 5.2.0
*
* @return array List of hex-encoded Signing keys.
* @return array List of base64-encoded Signing keys.
*/
function wp_trusted_keys() {
$trusted_keys = array();