Juniper/Author

3 189

Juniper/Author

A WordPress plugin to manage plugin and theme ownership on various platforms, starting with Github.

How It Works

Juniper/Author is meant to be installed by plugin and theme authors who currently distribute or want to distribute their plugins and themes via Github.

It synchonizes your Github repositories to your public WordPress installation, which can then be used to cryptographically sign your ZIPs for distribution (coming soon). In addition, Juniper/Author provides a WordPress API endpoint for Juniper/Server, a distributed mirror system that does not rely on WordPress.org for finding and installing WordPress plugins and themes.

Installation

Juniper/Author can be installed as normal by downloading the plugin from Github and installing it in the WordPress admin. At some point in the near future, the Juniper/Berry installer will be complete which will allow only cryptographically signed ZIP files to be installed. Why is that important? When a ZIP file is signed and verified, it means it was generated by the author and not tampered with at any point. This prevents supply-chain attacks where a rogue organization could potentially take over a plugin or theme supply chain, effectively taking ownership of it.

Post-Install Steps

Once the plugin is installed, you'll need to perform the following steps:

  1. In the admin panel in the Authorship/Options section, generate a private/public key pair to be used for signing. Your private key needs to be encrypted with a password, so make sure to choose a strong one here during the key generation phase. This password is not stored anywhere on your install, so if you lose it you will no longer be able to sign your ZIP files, and will be forced to regenerate a new key (effectively making all other previously released ZIP files no longer valid).
  2. Juniper/Author communicates extensively with Github via their public-facing API, which is heavily rate-limited. To get around that, you need to create an access token to use in by your WordPress installation.
    • First, go to your Github page, and click your avatar in the corner. Choose "Settings", and navigate to the bottom to "Developer Settings"
    • Select "Personal Acccess Tokens", and then "Tokens (Classic)"
    • Click the dropdown to "Generate new token" and select "New Fine-grained personal access token"
    • Give your token a name just so you remember what it is, i.e. "Juniper Access Token"
    • Set the expiration to "No expiration"
    • Juniper/Author currently doesn't write to Github, so you can use the "Public Repositories (read-only)" setting for access
    • You don't need to add any other additional permissions, so click "Generate" when done
    • When you see your token, copy it and paste it into the Juniper/Author admin for the "Github Token" setting, and click Save
  3. Click the "Repositories" menu option under "Juniper" in the WordPress admin
  4. To import your repositories, click "Refresh" at the bottom. This process may take a little while, so don't worry too much if it takes up to 30 seconds or so
  5. Once done, you should see a list of all your repositories where Juniper/Author detected a valid WordPress plugin.
  6. To submit these plugins to the currently active Juniper/Server install at notwp.org, click Submit To Mirror. This will queue your site for additional the public mirror.

Code Signing

To facilitate code-signing, two things are required. The first is to use your private key and sign each of your release ZIP files. This can be accomplished via the WordPress admin via the Juniper side menu, under Repositories. From here you can enter your private key password and click the "Sign" button, which will iterate through all your ZIP files and sign them locally. At this point, all signed ZIP files will be served from your Juniper/Author install. Regular ZIP files can still be downloaded and processed as per normal, which means regular updates like Github Updater and Repo Man will still continue to work fine. The signed ZIP files will be used at a later stage when Juniper/Berry is completed.

Second, you need to add a particular header onto your main plugin file, "Authority". An example is below:

Stable: 1.0.2
Authority: https://plugins.duanestorey.com

The website listed for the Authority needs to be the website where Juniper/Author is installed, and it must be for a repository under control in the "Repositories" menu in Juniper.

Once the plugin is installed on a WordPress website, Juniper/Berry (when it's complete) will use the Authority information in the plugin header to determine where to retrieve the public key for future ZIP files for each release. Once it retrieves it, it will be used to verify that the ZIP file came from that Juniper/Author installation via that website, and also that the original hash/integrity of the ZIP file is maintained. If someone where to tamper with the ZIP file, or sign it with a different private key, both situations would fail the integrity check, and the new plugin would not be installed.

Early Alpha

This is a very early version, with several missing features. That said, it's at the point where it needs a few alpha/beta testers. So if you have a public-facing (not local) website that you want to use as your main server for your Github plugins, then please install Juniper/Author and provide some feedback via Github Issues. Currently Juniper/Author doesn't facilitate upgrades or the consumption of signed ZIP files, but this will be coming soon.

The following is a list of the most recent releases for this plugin.

  • 1.2.7 - Authority changes / Dec 29th, 2024
    SHA256 hash: 
    09eb40957cc3769a375037efeeb0eb82d17160b398f195f01e44cf9b202242ab
  • 1.2.6 - Autoupdater fix / Dec 29th, 2024
    SHA256 hash: 
    3a01c48e2b84083f1b2f51097b0ae5b4da6729e206c843398b5d61ce96379b23
  • 1.2.5 - New signing mechanism / Dec 29th, 2024
    SHA256 hash: 
    cfe47411efdc624726aeeec356f573b28628d9437a747fd8f15df5e60a70d8ee
  • 1.2.4 - Minor issues / Dec 28th, 2024
    SHA256 hash: 
    0ebb24abadb014960dcd61aa6e6e95c0ee8ebbb9f5bacf527dad1dea97cb1fe3
  • 1.2.3 - Fixing minor issue with first install / Dec 27th, 2024
    SHA256 hash: 
    61cdb5d7c7631095cf23a7d95b87a79625d24ab6658b0ff82420957694c9b4c5
  • 1.2.2 - Removing Forks / Dec 27th, 2024
    SHA256 hash: 
    484da88b5775d43b30fbebd7c0d3383c567704967b1af55ab9b58e14d7135985
  • 1.2.1 - Testing Auto Updater / Dec 27th, 2024
    SHA256 hash: 
    61b13fd5a42d6b49bcbe9547d723967289a84587770d289bccc8664b844c21c4
  • 1.2.0 - New update tester / Dec 27th, 2024
    SHA256 hash: 
    93df1d6f4ca8a24aba8c2c20f94a61c0e4db1d6d7fdb88dedd910fba3d8c48b9
  • 1.1.2 - Added Background Refresh / Dec 26th, 2024
    SHA256 hash: 
    970013dbe8b047daa6b8b1d9008f88054717ad2a489550ee67df44f990142e3a
  • 1.1.0 - Added issue tracking / Dec 24th, 2024
    SHA256 hash: 
    7b1818e4efb38c837f3479d499dc1137f45ad9caa21193a0664252e81241ddf5
  • 1.0.9 - API modifications / Dec 24th, 2024
    SHA256 hash: 
    95a24bc2c240643c4f9923af47553d2b4732742171d479c73d1672f15467f569
  • 1.0.8 - Changing banner image size / Dec 24th, 2024
    SHA256 hash: 
    fcc068e76f7f0d7847eda3a28ed644d8d666163268cbb44ec98a5d962f3658fc
  • 1.0.7 - Improved import + banner image / Dec 23rd, 2024
    SHA256 hash: 
    cd56a11f755e42b68308c11b8e3198289bca4d50f42d8244f5890fa3b596f295
  • 1.0.6 - Fixed branch issue on Github / Dec 23rd, 2024
    SHA256 hash: 
    dc5f05c60c213061b1c0c468d8eb4d23b3a44259f287506bb51f3832640609ac
  • 1.0.5 - Added Vendor Directory / Dec 23rd, 2024
    SHA256 hash: 
    e0431ed8146b298e28de34cfe7ca56a16fa0aa3439d5d7baf46fadd17680a716
  • 1.0.4 - Broken Updater / Dec 23rd, 2024
    SHA256 hash: 
    fa3fa25e3db81822d878f31a4d29d9d28790743da675506758e86bc27a8e9caf
  • 1.0.3 - Initial release / Dec 23rd, 2024
    SHA256 hash: 
    adb9eb8406687d1c34c53e1a75416c0997af7e08cc4d511e3cff60f85cd99956
  • 0.0.2 - Test / Dec 21st, 2024
    SHA256 hash: 
    02a581e7aae56631baf49c934388d685ed8175f7bd680ca4953787dc6c994173

Signing Authority

This plugin has designated a signing authority for all future ZIP file releases. That means in the near future, when you download a ZIP file, it will be verified cryptographically using information provided by the designated website, https://plugins.duanestorey.com.

If you are a plugin or theme author, this information is provided in the main Plugin of Theme file, using the Authority: header.

Hash Verification

ZIP files downloaded via this site have an associated SHA256 hash.

Mac

On Mac, you can use the sha256 command to calculate the hash of a downloaded ZIP file. Open terminal and execute:

sha256 [filename]

Where [filename] is the name of the ZIP file. If the hash matches the one on the website, the ZIP file is genuine.

Linux

On Linux, you can use the sha256sum command to calculate the hash of a downloaded ZIP file. From a shell, execute:

sha256sum [filename]

Where [filename] is the name of the ZIP file. If the hash matches the one on the website, the ZIP file is genuine.

Latest Release

The latest official release is below.

Authority changes

Dec 29th, 2024
Download 1.2.7
SHA-256 hash:
09eb40957cc3769a375037efeeb0eb82d17160b398f195f01e44cf9b202242ab

Github Repository

This project is located on Github in the repository duanestorey/juniper-author.

Star Support Project

Author

Crafted by Duane Storey
Follow @duanestorey Author image for Duane Storey