Hi all,

 

I’ve just written a patch that adds simple signing for security/verifiability to Koha plugins: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=24632.

 

By default, it doesn’t really do anything, but if you enable the “RequirePluginSignatures” system preference, you will only be able to upload Koha plugins which have been signed by a trusted Koha plugin author. When uploading a plugin, you’ll also be prompted for a signature file, which you’ll need to upload in order to successfully upload the plugin.

 

Koha plugin authors can be trusted by uploading/importing their RSA signing public key into Koha.

 

I’ve included all the possible information Koha users and Koha (plugin) developers could need into my test plan(s).

 

Let me know how you go! I’d love to get feedback. I’ve been wanting to write this code for a long time, so I finally sat down for about 5 hours and just banged it all out. It’s probably far from perfect, but it’s functional and hopefully shouldn’t add too much of a burden to users or developers.

 

Cheers,

 

David Cook

Systems Librarian

Prosentient Systems

72/330 Wattle St

Ultimo, NSW 2007

Australia

 

Office: 02 9212 0899

Online: 02 8005 0595