Include checksums for themes on WordPress.org

[lukecav]

It would be similar to the checksum command which exists for plugins.

wp theme verify-checksums --all

https://developer.wordpress.org/cli/commands/plugin/verify-checksums/

[erickhavel]

Yes please! I'm so surprised that this doesn't exist yet. I would believe it to be quite similar to implement compared to the plugin equivalent.

[erickhavel]

It would be extremely useful for checking/monitoring sites for malware. Both wp core verify-checksums and wp plugin verify-checksums --all do this in a very convenient way, allowing you to easily script to check for issues and even automatically fix them if you so please. But then you're still leaving the theme(s) unchecked.

[schlessera]

The main issue here is that there is no infrastructure for this on the wordpress.org servers yet. Surprisingly, the infrastructure for managing and distributing themes is completely different than the infrastructure for managing and distributing plugins.

From a discussion at https://meta.trac.wordpress.org/ticket/3192:

Themes are strangely much easier.
Can't have multiple versions of a file in any given version.
ZIP file names contain the Version Header
SVN tags are based on the Version Header
Theme Authors don't have access to SVN, so all the version numbers are handled correctly without human error.
Checksums could therefor be generated/served very easily there, but we'd probably leave that until the ZIP storage method for themes is updated to a similar process that we use for Plugins.

@dd32 Are there any updates about the themes infrastructure and how the ZIP storage method works?

[dd32]

Are there any updates about the themes infrastructure and how the ZIP storage method works?

No changes have been made there yet.

Theme zips are also regenerated occasionally, although the files contained within should remain static.

Given the time since the above meta ticket, waiting for an eventual change to happen probably isn't ideal, and adding checksums for themes can probably be done sooner than later.
I don't recall how much work it'd be to add, but I guess it shouldn't be too bad.

[malwador]

This would be very useful specially for security issues, I usually use:

wp checksum core && wp checksum plugins --all

I'd love to have the theme part also check themes on wpdotorg repo.

[yosh-se]

This'd be really neat to have in wp-cli :)

[paulschreiber]

I would like to have wp theme verify checksums as well as a single command to verify plugins, themes and core.

[fblaser]

I'd be very happy to contribute something to make this happen.

[paulharris]

Perhaps the Wordpress theme installer can keep a copy of the installed zips on the server, so wp-cli or other can verify against what was installed?

[fblaser]

@paulharris in the case of a compromised website where the attacker is able to modify files in the theme, it would be easy for the attacker to also alter the zips on the server, making the checksum verification less trustworthy.

[fblaser]

I've been thinking about how to implement this feature in the current situation (i.e. not waiting on wp.org to provide the checksums, as this doesn't seem to be priority).

First, I thought about generating the checksums on the fly:

• Downloading the theme from wp.org
• Calculating checksums
• Checking the installed files against the checksums (as is done for core/plugins)

This implies that we download the plugin/calculate the checksums every time we run the command, which is not very optimal. One could think of adding a local cache... but it could get overly complicated for a temporary solution. It's also a lot of added code that will need to be cleaned up once the checksums are available on wp.org. Not ideal...

Given the above, I would like to offer the following solution:

• Implement the wp theme verify-checksums as if the checksums were already on wp.org
• Create a checksum-proxy : A hosted PHP/app script that does the theme downloading and checksum calculations, keeping the results ready for the next time the checksums are needed.
• Add a --proxy argument to the command, so that one can ask wp-cli to get the checksums from a trusted checksum-proxy instead of wp.org.

This way, the command is ready to be used whenever wp.org is ready (and then, the proxy idea can be trashed), but can also be used before that by deploying a "checksum-proxy" and using the --proxy argument. Do you think it would be worthwhile working in this direction?

[paulharris]

@paulharris in the case of a compromised website where the attacker is able to modify files in the theme, it would be easy for the attacker to also alter the zips on the server, making the checksum verification less trustworthy.

I was wondering about that. From what I've seen so far, the attacks against us have only allowed modifications within public_html, I was thinking you could store the zips outside of public_html.
Verifying against an trusted external source would be better.