Juniper/Author
Juniper/Author
A WordPress plugin to manage plugin and theme ownership on various platforms, starting with Github.
How It Works
Juniper/Author is meant to be installed by plugin and theme authors who currently distribute or want to distribute their plugins and themes via Github.
It synchonizes your Github repositories to your public WordPress installation, which can then be used to cryptographically sign your ZIPs for distribution (coming soon). In addition, Juniper/Author provides a WordPress API endpoint for Juniper/Server, a distributed mirror system that does not rely on WordPress.org for finding and installing WordPress plugins and themes.
Installation
Juniper/Author can be installed as normal by downloading the plugin from Github and installing it in the WordPress admin. At some point in the near future, the Juniper/Berry installer will be complete which will allow only cryptographically signed ZIP files to be installed. Why is that important? When a ZIP file is signed and verified, it means it was generated by the author and not tampered with at any point. This prevents supply-chain attacks where a rogue organization could potentially take over a plugin or theme supply chain, effectively taking ownership of it.
Post-Install Steps
Once the plugin is installed, you'll need to perform the following steps:
- In the admin panel in the Authorship/Options section, generate a private/public key pair to be used for signing. Your private key needs to be encrypted with a password, so make sure to choose a strong one here during the key generation phase. This password is not stored anywhere on your install, so if you lose it you will no longer be able to sign your ZIP files, and will be forced to regenerate a new key (effectively making all other previously released ZIP files no longer valid).
- Juniper/Author communicates extensively with Github via their public-facing API, which is heavily rate-limited. To get around that, you need to create an access token to use in by your WordPress installation.
- First, go to your Github page, and click your avatar in the corner. Choose "Settings", and navigate to the bottom to "Developer Settings"
- Select "Personal Acccess Tokens", and then "Tokens (Classic)"
- Click the dropdown to "Generate new token" and select "New Fine-grained personal access token"
- Give your token a name just so you remember what it is, i.e. "Juniper Access Token"
- Set the expiration to "No expiration"
- Juniper/Author currently doesn't write to Github, so you can use the "Public Repositories (read-only)" setting for access
- You don't need to add any other additional permissions, so click "Generate" when done
- When you see your token, copy it and paste it into the Juniper/Author admin for the "Github Token" setting, and click Save
- Click the "Repositories" menu option under "Juniper" in the WordPress admin
- To import your repositories, click "Refresh" at the bottom. This process may take a little while, so don't worry too much if it takes up to 30 seconds or so
- Once done, you should see a list of all your repositories where Juniper/Author detected a valid WordPress plugin.
- To submit these plugins to the currently active Juniper/Server install at notwp.org, click Submit To Mirror. This will queue your site for additional the public mirror.
Code Signing
To facilitate code-signing, two things are required. The first is to use your private key and sign each of your release ZIP files. This can be accomplished via the WordPress admin via the Juniper side menu, under Repositories. From here you can enter your private key password and click the "Sign" button, which will iterate through all your ZIP files and sign them locally. At this point, all signed ZIP files will be served from your Juniper/Author install. Regular ZIP files can still be downloaded and processed as per normal, which means regular updates like Github Updater and Repo Man will still continue to work fine. The signed ZIP files will be used at a later stage when Juniper/Berry is completed.
Second, you need to add a particular header onto your main plugin file, "Authority". An example is below:
Stable: 1.0.2
Authority: https://plugins.duanestorey.com
The website listed for the Authority needs to be the website where Juniper/Author is installed, and it must be for a repository under control in the "Repositories" menu in Juniper.
Once the plugin is installed on a WordPress website, Juniper/Berry (when it's complete) will use the Authority information in the plugin header to determine where to retrieve the public key for future ZIP files for each release. Once it retrieves it, it will be used to verify that the ZIP file came from that Juniper/Author installation via that website, and also that the original hash/integrity of the ZIP file is maintained. If someone where to tamper with the ZIP file, or sign it with a different private key, both situations would fail the integrity check, and the new plugin would not be installed.
Early Alpha
This is a very early version, with several missing features. That said, it's at the point where it needs a few alpha/beta testers. So if you have a public-facing (not local) website that you want to use as your main server for your Github plugins, then please install Juniper/Author and provide some feedback via Github Issues. Currently Juniper/Author doesn't facilitate upgrades or the consumption of signed ZIP files, but this will be coming soon.
The following is a list of the most recent releases for this plugin.
-
1.2.1 - Testing Auto Updater
- Updated: New repo update method
SHA256 hash:61b13fd5a42d6b49bcbe9547d723967289a84587770d289bccc8664b844c21c4
-
1.2.0 - New update tester
- Test for a new updater based on Juniper/Berry
SHA256 hash:93df1d6f4ca8a24aba8c2c20f94a61c0e4db1d6d7fdb88dedd910fba3d8c48b9
-
1.1.2 - Added Background Refresh
- Added: Background refresh every 15 minutes of repository info - Updated: Now includes user-information in the JSON API to add user bios to main repository site
SHA256 hash:970013dbe8b047daa6b8b1d9008f88054717ad2a489550ee67df44f990142e3a
-
1.1.0 - Added issue tracking
- Added: Issue tracking for all managed repositories right in the admin
SHA256 hash:7b1818e4efb38c837f3479d499dc1137f45ad9caa21193a0664252e81241ddf5
-
1.0.9 - API modifications
Modified download URLs for Github releases that don't have attached packages
SHA256 hash:95a24bc2c240643c4f9923af47553d2b4732742171d479c73d1672f15467f569
-
1.0.8 - Changing banner image size
- Changed: Banner image size is now 1200 x 800
SHA256 hash:fcc068e76f7f0d7847eda3a28ed644d8d666163268cbb44ec98a5d962f3658fc
-
1.0.7 - Improved import + banner image
- Improved the importation of Github repositories - Added the ability to set an organization-wide banner image
SHA256 hash:cd56a11f755e42b68308c11b8e3198289bca4d50f42d8244f5890fa3b596f295
-
1.0.6 - Fixed branch issue on Github
Only repositories with the branch of 'main' were detected before - now the default branch is automatically determined and used
SHA256 hash:dc5f05c60c213061b1c0c468d8eb4d23b3a44259f287506bb51f3832640609ac
-
1.0.5 - Added Vendor Directory
Missing vendor directory from composer
SHA256 hash:e0431ed8146b298e28de34cfe7ca56a16fa0aa3439d5d7baf46fadd17680a716
-
1.0.4 - Broken Updater
Fixed broken Git updater, should be ready to alpha now
SHA256 hash:fa3fa25e3db81822d878f31a4d29d9d28790743da675506758e86bc27a8e9caf
-
1.0.3 - Initial release
This is the first release of Juniper/Author meant for alpha testing only. Expect occasional bugs and maybe even the odd crash.
SHA256 hash:adb9eb8406687d1c34c53e1a75416c0997af7e08cc4d511e3cff60f85cd99956
-
0.0.2 - Test
Test
SHA256 hash:02a581e7aae56631baf49c934388d685ed8175f7bd680ca4953787dc6c994173
The following is a list of the most recent issues for this plugin.
-
Cannot access organization repos
Not sure how this works, because it behaves weird. At first I created a personal access token as instructed, but that with that token I could only get my personal public repos. Then after enrolling my org for personal token I created a new one for that. But the plugin still pulls only my personal repos. At no single point did it pull organizations repos.
-
Can't create a key
I am getting this error: ``` 2024/12/24 09:34:52 [error] 1791278#1791278: *11240936 FastCGI sent in stderr: "PHP message: PHP Fatal error: Uncaught ValueError: DOMDocument::loadXML(): Argument #1 ($source) must not be empty in /var/www/plugins/wp-content/plugins/juniper-author/vendor/phpseclib/phpseclib/phpseclib/Crypt/EC/Formats/Keys/XML.php:144 Stack trace: #0 /var/www/plugins/wp-content/plugins/juniper-author/vendor/phpseclib/phpseclib/phpseclib/Crypt/EC/Formats/Keys/XML.php(144): DOMDocument->loadXML() #1 /var/www/plugins/wp-content/plugins/juniper-author/vendor/phpseclib/phpseclib/phpseclib/Crypt/EC/Formats/Keys/XML.php(74): phpseclib3\Crypt\EC\Formats\Keys\XML::isolateNamespace() #2 /var/www/plugins/wp-content/plugins/juniper-author/vendor/phpseclib/phpseclib/phpseclib/Crypt/Common/AsymmetricKey.php(150): phpseclib3\Crypt\EC\Formats\Keys\XML::load() #3 /var/www/plugins/wp-content/plugins/juniper-author/vendor/phpseclib/phpseclib/phpseclib/Crypt/PublicKeyLoader.php(39): phpseclib3\Crypt\Common\AsymmetricKey::load() #4 /var/www/plugins/wp-content/plugins/juniper-author/vendor/phpseclib/phpseclib/php" while reading response header from upstream, client: 93.139.156.194, server: plugins.nezn.am, request: "POST /wp-admin/admin-ajax.php HTTP/1.1", upstream: "fastcgi://unix:/run/php/php8.1-fpm.sock:", host: "plugins.nezn.am", referrer: "https://plugins.nezn.am/wp-admin/options-general.php?page=juniper" ``` WP: 6.7.1 PHP: 8.1
-
Maybe add option to submit individual plugins/themes to mirror
Currently *Submit to Mirror* submits everything Juniper/Author has discovered. This may not be always desirable. So, an option to submit selected plugins/themes would be useful. This is of course a low priority at the current stage of development.
-
Only one of my two public plugins on GitHub appears on the Author/Repositories screen
Hello there! Just installed Juniper/Author on a test site to see how it works and report any issues. The key pair was generated fine, and I also added a GitHub token. I was expecting two plugins to show up on the Author/Repositories screen, but only one does: https://github.com/demetris/omni-control (Does show up) https://github.com/demetris/omni-contact-form (Does **not** show up) Is there anything obvious in the second plugin that could be the reason for this?
Signing Authority
This plugin has designated a signing authority for all future ZIP file releases. That means in the near future, when you download a ZIP file, it will be verified cryptographically using information provided by the designated website, https://plugins.duanestorey.com.
If you are a plugin or theme author, this information is provided in the main Plugin of Theme file, using the Authority: header.
Hash Verification
ZIP files downloaded via this site have an associated SHA256 hash.
Mac
On Mac, you can use the sha256 command to calculate the hash of a downloaded ZIP file. Open terminal and execute:
sha256 [filename]
Where [filename] is the name of the ZIP file. If the hash matches the one on the website, the ZIP file is genuine.
Linux
On Linux, you can use the sha256sum command to calculate the hash of a downloaded ZIP file. From a shell, execute:
sha256sum [filename]
Where [filename] is the name of the ZIP file. If the hash matches the one on the website, the ZIP file is genuine.
Latest Release
The latest official release is below.
Testing Auto Updater
Download 1.2.161b13fd5a42d6b49bcbe9547d723967289a84587770d289bccc8664b844c21c4
Github Repository
This project is located on Github in the repository duanestorey/juniper-author.
Star Support Project