[Koha-bugs] [Bug 24632] Plugins should support simple signing for security/verifiability
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Thu Apr 30 16:02:59 CEST 2020
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=24632
ByWater Sandboxes <bws.sandboxes at gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #104032|0 |1
is obsolete| |
--- Comment #13 from ByWater Sandboxes <bws.sandboxes at gmail.com> ---
Created attachment 104035
-->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=104035&action=edit
Bug 24632: Verify Koha plugin signatures against trusted author public keys
The concept is that Koha plugin authors will sign their plugins using their RSA
private key, and they'll share their public key with Koha users/the public.
Koha
users will upload/import these public keys into Koha.
When uploading plugins, Koha users will also be prompted to upload a signature
file, which will be provided by Koha plugin authors.
By default, signature verification will be optional. However, if you enable
the system preference "RequirePluginSignatures", you will only be able to
upload
Koha plugins which have been signed by a trusted author (ie an author for whom
you
have stored a public key).
This patch adds the plugin_keys table and a web UI to store trusted author
public keys,
adds the "RequirePluginSignatures" system preference to secure the upload
process, and
updates the plugin upload to verify signatures.
Test Plan:
0) Apply patch
1) Download Example Koha Plugin Developer public key
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=104031
2) Download Kitchen Sink plugin signature
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=104030
3) Download version 2.1.39 of the Kitchen Sink plugin
https://github.com/bywatersolutions/koha-plugin-kitchen-sink/releases/download/v2.1.39/koha-plugin-kitchen-sink-v2.1.39.kpz
4) Go to /cgi-bin/koha/plugins/plugins-keys.pl
5) Upload "Example Koha Plugin Developer public key" here with any "Name" you
want
6) Go to /cgi-bin/koha/plugins/plugins-upload.pl
7) Upload Kitchen Sink plugin
8) Notice it uploaded without a signature.
9) Uninstall Kitchen Sink plugin
10) Go to systme preferences and enable "RequirePluginSignatures"
11) Go to /cgi-bin/koha/plugins/plugins-upload.pl
12) Upload Kitchen Sink plugin
13) Notice an error message saying upload failed
14) Go to /cgi-bin/koha/plugins/plugins-home.pl
15) Observe there is no uploaded plugin
16) Go to /cgi-bin/koha/plugins/plugins-upload.pl
17) Upload Kitchen Sink plugin
18) Upload Kitchen Sink plugin signature
19) Notice the plugin uploaded
Advanced Test Plan:
Instead of downloading the Koha Sink plugin signature and public key,
try creating your own keys and signature. The below is just a quick example,
and not necessarily the recommended process. Consider a larger key size.
1) openssl genrsa -des3 -out private.pem 2048
2) openssl rsa -in private.pem -outform PEM -pubout -out public.pem
3) openssl dgst -sha256 -sign private.pem -out
koha-plugin-kitchen-sink-v2.1.39.sig koha-plugin-kitchen-sink-v2.1.39.kpz
4) Repeat normal test plan from step 4
Signed-off-by: Holly <hc at interleaf.ie>
--
You are receiving this mail because:
You are watching all bug changes.
You are the assignee for the bug.
More information about the Koha-bugs
mailing list