https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=24632
ByWater Sandboxes <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #104032|0 |1 is obsolete| | --- Comment #13 from ByWater Sandboxes <[email protected]> --- Created attachment 104035 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=104035&action=edit Bug 24632: Verify Koha plugin signatures against trusted author public keys The concept is that Koha plugin authors will sign their plugins using their RSA private key, and they'll share their public key with Koha users/the public. Koha users will upload/import these public keys into Koha. When uploading plugins, Koha users will also be prompted to upload a signature file, which will be provided by Koha plugin authors. By default, signature verification will be optional. However, if you enable the system preference "RequirePluginSignatures", you will only be able to upload Koha plugins which have been signed by a trusted author (ie an author for whom you have stored a public key). This patch adds the plugin_keys table and a web UI to store trusted author public keys, adds the "RequirePluginSignatures" system preference to secure the upload process, and updates the plugin upload to verify signatures. Test Plan: 0) Apply patch 1) Download Example Koha Plugin Developer public key https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=104031 2) Download Kitchen Sink plugin signature https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=104030 3) Download version 2.1.39 of the Kitchen Sink plugin https://github.com/bywatersolutions/koha-plugin-kitchen-sink/releases/download/v2.1.39/koha-plugin-kitchen-sink-v2.1.39.kpz 4) Go to /cgi-bin/koha/plugins/plugins-keys.pl 5) Upload "Example Koha Plugin Developer public key" here with any "Name" you want 6) Go to /cgi-bin/koha/plugins/plugins-upload.pl 7) Upload Kitchen Sink plugin 8) Notice it uploaded without a signature. 9) Uninstall Kitchen Sink plugin 10) Go to systme preferences and enable "RequirePluginSignatures" 11) Go to /cgi-bin/koha/plugins/plugins-upload.pl 12) Upload Kitchen Sink plugin 13) Notice an error message saying upload failed 14) Go to /cgi-bin/koha/plugins/plugins-home.pl 15) Observe there is no uploaded plugin 16) Go to /cgi-bin/koha/plugins/plugins-upload.pl 17) Upload Kitchen Sink plugin 18) Upload Kitchen Sink plugin signature 19) Notice the plugin uploaded Advanced Test Plan: Instead of downloading the Koha Sink plugin signature and public key, try creating your own keys and signature. The below is just a quick example, and not necessarily the recommended process. Consider a larger key size. 1) openssl genrsa -des3 -out private.pem 2048 2) openssl rsa -in private.pem -outform PEM -pubout -out public.pem 3) openssl dgst -sha256 -sign private.pem -out koha-plugin-kitchen-sink-v2.1.39.sig koha-plugin-kitchen-sink-v2.1.39.kpz 4) Repeat normal test plan from step 4 Signed-off-by: Holly <[email protected]> -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug. _______________________________________________ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
