Signature system for plugins #1
Labels
feature
New feature or request
priority: p1
This is a very important issue. It should be fixed as fast as possible.
Comments
This comment was marked as spam.
This comment was marked as spam.
PalmDevs
added
feature
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Why
Revenge has first-party support for plugins. Plugins can execute arbitrary code. A malicious actor can embed malware into the plugin.
Solution
Add a signature system to verify plugins. The author's signature must, and ours should accompany each plugin.
The author's signature is so the user can ensure the plugin was signed off by someone they trust. Our signature is needed so the user can verify that we trust the plugin and that it is secure.
How it works
The system checks the signatures and executes the plugin under the following conditions:
If no signature is present or any of the two is invalid, the likelihood of tampering with the plugin is high, and the plugin should not be executed. If the author's signature is present but is not trusted yet, the user must first agree to trust the author without our assurance. If our signature is present but the author's signature is missing or invalid, we made a mistake as we trusted a plugin that the author has not signed off on.
By default, the environment should configure the keys and revenge trusts. Our environment configures our keys. Another environment, such as a fork or a local environment, would configure its keys.
The text was updated successfully, but these errors were encountered: