UBB.Developers Forums Community Development Programming PHP and Server-side Scripting Digital signature for files?

I'm in the process of building a new content management system (called Xenon), kinda like all those Nuke progs except on a smaller scale. I want to have the base system be pretty minimalistic as far as end-user features go, but have it be capable of accepting plugins so that features can be extended. Cuz that was the one big problem I had with all those other Nuke progs - they crammed so much stuff in there that I had no use for, it made it a real pain to install/administer them. So anyone who wants it can get the base program by itself, and then add only the things they need.

Now, the way I'm thinking of doing plugins is have all required files and information be stored as variables in one file, which the user uploads to his server, and the base app will unpack it all into the proper files and database entries. Rather a pain on the development end, but this would prolly be easiest on the user. There is just one problem I can find with this: if some evil PHP coder decided to write a bad file, they could present it as an official plugin and do all kinds of nasty things to the unsuspecting user's server if the user was unlucky enough to install it. So what I want to do is have some way to sign all the plugin files so that the main script won't install them without the proper signature. This would be easy with some sort of hashed password stored at the top of the plugin file - Xenon checks the password, matches it to the one it knows, and the installs only if the signature passes the test.

The problem with this system is, anyone that has the base program would easily be able to find the proper install key, and then it would still be just as easy to forge plugins.

So my question is, is there any way at all to somehow keep one key totally secret and out of the Xenon base script, so that even if someone does have have Xenon they still won't be able to get the first install key and forge plugins? Or is this just not feasible, and I should just include some sort of warning that if they didn't download the plugin from my official server it could be tainted?

Thanks in advance!

(PS - I hope this made sense. And sorry that I get kinda lengthy with my descriptions... hope this didn't take too awful long to read. )

---Jamin

It's possible if all the plugins have to be "certified" by a trusted party, such as yourself.

The signature could be the MD5 Message Digest of the plugin file, concatenated with a "secret word" known only to the trusted party.

$plugin_signature = md5($secret_word . $plugin_file_contents);

When computing the signature, you'd want to strip trailing whitespace from $plugin_file_contents, so that you get the same signature regardless of the platform.

------------
P.S. Never mind, that wouldn't work. I'll leave this here for the moment, though, in case I think of something better.

Thanks, Dave_L!

I was talking to one of my buddies last night after I got off work, and he said something like this too. Each plugin gets two keys: one that is a timestamp or something, and one that is a md5 hash of my secret word and that timestamp. These are displayed to the user before he installs the plugin, and he's promted to go to my site to verify the plugin. I then have a script set up on my site where he enters both keys, the script does all the checking, and tells him whether it's valid or not. This would be an optional step, Xenon itself would still be able to install an invalid plugin, but hopefully the user would be smart enough not to install it if it shows up that its not signed properly or whatever. Part of the timestamp key would also have an identifying number that matches a certain plugin - so that when the user verifies it, when it does pass the test it will say "This is a valid key for [Plugin Name Here]" - that way the baddies can't reuse a technically valid key for every new file they make (or they can, but the user will know that's what they're doing).

Thanks again I like the plugin file contents idea, I'll see what I can do about getting that to be part of the process too, since it does seem more secure.

---Jamin

Here's another attempt.

For each "approved" plugin, you would compute the file length and MD5 Message Digest. You would have a file on your site that contains this information for each of the plugins. Each line of the file might look like this: PLUGIN_NAME,LENGTH,MD5. You might also want to include a version number or date for the file in the first line.

Users of your script would download that file from your site, and your core script would read it to validate the plugins.