Skip to content

Verify DID of incoming package during an update #441

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
johnbillion wants to merge 3 commits into
base: release_1.4.0
Choose a base branch
from
Draft

Verify DID of incoming package during an update #441

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
5eaaa1a
Verify the DID in the extracted package matches the expected DID.
johnbillion Feb 14, 2026
9ca2c37
Add tests for all the DID verification cases.
johnbillion Feb 14, 2026
c5577e5
Coding standards.
johnbillion Feb 14, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions inc/updater/class-updater.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -90,6 +90,8 @@ public static function load_hooks() {
add_filter( 'upgrader_pre_download', 'FAIR\\Updater\\verify_signature_on_download', 10, 4 );
}

add_filter( 'upgrader_source_selection', 'FAIR\\Updater\\verify_did_on_source_selection', 9, 4 );

foreach ( self::$plugins as $package ) {
Packages\add_package_to_release_cache( $package->did );
}
Expand Down
56 changes: 56 additions & 0 deletions inc/updater/namespace.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -239,6 +239,62 @@ function verify_signature_on_download( $reply, string $package, WP_Upgrader $upg
);
}

/**
* Verify the DID in the extracted package matches the expected DID.
*
* Hooked to `upgrader_source_selection` at priority 9, before renaming hooks.
*
* @param string|WP_Error $source File source location, or a WP_Error object.
* @param string $remote_source Remote file source location.
* @param WP_Upgrader $upgrader WP_Upgrader instance.
* @param array $hook_extra Extra arguments passed to hooked filters.
* @return string|WP_Error The source path on success, WP_Error on failure.
*/
function verify_did_on_source_selection( $source, string $remote_source, WP_Upgrader $upgrader, $hook_extra ) {
// Pass through errors from earlier hooks.
if ( is_wp_error( $source ) ) {
return $source;
}

if ( ! $upgrader instanceof Plugin_Upgrader && ! $upgrader instanceof Theme_Upgrader ) {
return $source;
}

$expected_did = get_site_transient( CACHE_DID_FOR_INSTALL );
if ( ! $expected_did ) {
return $source;
}

$type = $upgrader instanceof Plugin_Upgrader ? 'plugin' : 'theme';

$actual_did = Packages\get_did_by_path( $source, $type );

if ( is_wp_error( $actual_did ) ) {
return new WP_Error(
'fair.packages.did_verification.not_found',
sprintf(
/* translators: %s: The expected DID. */
__( 'Could not find a package ID in the downloaded package. Expected: %s', 'fair' ),
$expected_did
)
);
}

if ( $actual_did->get_id() === $expected_did ) {
return $source;
}

return new WP_Error(
'fair.packages.did_verification.mismatch',
sprintf(
/* translators: %1$s: The expected DID, %2$s: The actual DID found. */
__( 'Package ID mismatch. Expected: %1$s, found: %2$s', 'fair' ),
$expected_did,
$actual_did->get_id()
)
);
}

/**
* Get trusted keys for signature verification.
*
Expand Down
5 changes: 5 additions & 0 deletions tests/phpunit/data/updater/test-plugin-no-did/test-plugin-no-did.php
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
<?php
/**
* Plugin Name: Test Plugin Without DID
* Version: 1.0.0
*/
6 changes: 6 additions & 0 deletions tests/phpunit/data/updater/test-plugin/test-plugin.php
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
<?php
/**
* Plugin Name: Test Plugin
* Plugin ID: did:plc:testmatchingtestmatchi00
* Version: 1.0.0
*/
4 changes: 4 additions & 0 deletions tests/phpunit/data/updater/test-theme-no-did/style.css
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
/*
Theme Name: Test Theme Without DID
Version: 1.0.0
*/
5 changes: 5 additions & 0 deletions tests/phpunit/data/updater/test-theme/style.css
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
/*
Theme Name: Test Theme
Theme ID: did:plc:testmatchingtestmatchi00
Version: 1.0.0
*/
152 changes: 152 additions & 0 deletions tests/phpunit/tests/Updater/VerifyDidOnSourceSelectionTest.php
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,152 @@
<?php
/**
* Tests for FAIR\Updater\verify_did_on_source_selection().
*
* @package FAIR
*/

use const FAIR\Packages\CACHE_DID_FOR_INSTALL;
use function FAIR\Updater\verify_did_on_source_selection;

/**
* Tests for FAIR\Updater\verify_did_on_source_selection().
*
* @covers FAIR\Updater\verify_did_on_source_selection
*/
class VerifyDidOnSourceSelectionTest extends WP_UnitTestCase {

/**
* Fixtures directory.
*
* @var string
*/
private string $fixtures_dir;

/**
* Set up each test.
*/
public function set_up() {
parent::set_up();

require_once ABSPATH . 'wp-admin/includes/class-wp-upgrader.php';
WP_Filesystem();
$this->fixtures_dir = dirname( __DIR__, 2 ) . '/data/updater';
}

/**
* Tests that WP_Error input is passed through unchanged.
*/
public function test_should_pass_through_wp_error() {
$error = new WP_Error( 'previous_error', 'Something failed' );
$upgrader = $this->createMock( Plugin_Upgrader::class );

$result = verify_did_on_source_selection( $error, '/tmp/remote', $upgrader, [] );

$this->assertWPError( $result, 'WP_Error input should be returned unchanged.' );
$this->assertSame( 'previous_error', $result->get_error_code(), 'Error code should be preserved.' );
}

/**
* Tests that source is returned when the plugin DID matches.
*/
public function test_should_return_source_when_plugin_did_matches() {
$source = $this->fixtures_dir . '/test-plugin/';
set_site_transient( CACHE_DID_FOR_INSTALL, 'did:plc:testmatchingtestmatchi00' );

$upgrader = $this->createMock( Plugin_Upgrader::class );

$result = verify_did_on_source_selection( $source, '/tmp/remote', $upgrader, [] );

$this->assertSame( $source, $result, 'Source should be returned when plugin DID matches.' );
}

/**
* Tests that source is returned when the theme DID matches.
*/
public function test_should_return_source_when_theme_did_matches() {
$source = $this->fixtures_dir . '/test-theme/';
set_site_transient( CACHE_DID_FOR_INSTALL, 'did:plc:testmatchingtestmatchi00' );

$upgrader = $this->createMock( Theme_Upgrader::class );

$result = verify_did_on_source_selection( $source, '/tmp/remote', $upgrader, [] );

$this->assertSame( $source, $result, 'Source should be returned when theme DID matches.' );
}

/**
* Tests that a WP_Error is returned when the plugin DID does not match.
*/
public function test_should_return_error_when_plugin_did_mismatches() {
$source = $this->fixtures_dir . '/test-plugin/';
set_site_transient( CACHE_DID_FOR_INSTALL, 'did:plc:wrongdidwrongdidwrongd00' );

$upgrader = $this->createMock( Plugin_Upgrader::class );

$result = verify_did_on_source_selection( $source, '/tmp/remote', $upgrader, [] );

$this->assertWPError( $result, 'A WP_Error should be returned when the plugin DID does not match.' );
$this->assertSame(
'fair.packages.did_verification.mismatch',
$result->get_error_code(),
'Error code should indicate a DID mismatch.'
);
}

/**
* Tests that a WP_Error is returned when the theme DID does not match.
*/
public function test_should_return_error_when_theme_did_mismatches() {
$source = $this->fixtures_dir . '/test-theme/';
set_site_transient( CACHE_DID_FOR_INSTALL, 'did:plc:wrongdidwrongdidwrongd00' );

$upgrader = $this->createMock( Theme_Upgrader::class );

$result = verify_did_on_source_selection( $source, '/tmp/remote', $upgrader, [] );

$this->assertWPError( $result, 'A WP_Error should be returned when the theme DID does not match.' );
$this->assertSame(
'fair.packages.did_verification.mismatch',
$result->get_error_code(),
'Error code should indicate a DID mismatch.'
);
}

/**
* Tests that a WP_Error is returned when the plugin has no Plugin ID header.
*/
public function test_should_return_error_when_plugin_has_no_did() {
$source = $this->fixtures_dir . '/test-plugin-no-did/';
set_site_transient( CACHE_DID_FOR_INSTALL, 'did:plc:testmatchingtestmatchi00' );

$upgrader = $this->createMock( Plugin_Upgrader::class );

$result = verify_did_on_source_selection( $source, '/tmp/remote', $upgrader, [] );

$this->assertWPError( $result, 'A WP_Error should be returned when the plugin has no DID.' );
$this->assertSame(
'fair.packages.did_verification.not_found',
$result->get_error_code(),
'Error code should indicate a missing DID.'
);
}

/**
* Tests that a WP_Error is returned when the theme has no Theme ID header.
*/
public function test_should_return_error_when_theme_has_no_did() {
$source = $this->fixtures_dir . '/test-theme-no-did/';
set_site_transient( CACHE_DID_FOR_INSTALL, 'did:plc:testmatchingtestmatchi00' );

$upgrader = $this->createMock( Theme_Upgrader::class );

$result = verify_did_on_source_selection( $source, '/tmp/remote', $upgrader, [] );

$this->assertWPError( $result, 'A WP_Error should be returned when the theme has no DID.' );
$this->assertSame(
'fair.packages.did_verification.not_found',
$result->get_error_code(),
'Error code should indicate a missing DID.'
);
}
}