[Koha-bugs] [Bug 24632] Plugins should support simple signing for security/varifiability
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Thu Apr 30 05:14:49 CEST 2020
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=24632
--- Comment #5 from David Cook <dcook at prosentient.com.au> ---
I'm thinking something along these lines:
https://ubuntu.com/tutorials/tutorial-how-to-verify-ubuntu
Verify a metadata file or checksum file using a provider's public key (using
one of the modules I've suggested).
Then verify the plugin using a checksum in the metadata file or in the checksum
file.
I'm thinking signing the checksum file is probably the better way to go.
And if we create a system preference to manage this, we can have it turned off
by default (for backwards compatibility), but then more cautious parties (like
vendors) can enable it.
Essentially you'd need to verify a plugin during the installation process.
--
I have many competing projects during my quarantine time, but I'm going to try
and look at this tonight. It really shouldn't be that difficult, and I think it
would be a huge benefit for the plugin system and Koha.
--
You are receiving this mail because:
You are the assignee for the bug.
You are watching all bug changes.
More information about the Koha-bugs
mailing list