Add support for Signed Add-ons

K

Kirby

Well-known member
Most likely ending up Lack of interest, but anyway:

Currently an admin with permission to manage Add-ons could install just about anything.

To improve security when managing Add-ons it would be nice if XenForo had support for digitally signed Add-ons.

This would allow to configure (by a super admin or via config.php) trusted public developer keys / certificates so only Add-ons signed by those keys / certificates could be installed.
 
Upvote 0
Who would verify that the add-ons using those keys/certificates can be trusted?

An admin can do a lot more damage than installing a dodgy add-on if they have the relevant permissions.

This just seems like something which should be managed in house amongst the site staff.
 
Paul B said:
Who would verify that the add-ons using those keys/certificates can be trusted?
Click to expand...
The key / certificate would verify that the uploaded file xfmg_2.2.4_domain.tld_LICENSEKEY_full.zip is a genuine XFMG and not smth. fishy (yes, there is hashes.json, but that could be manipulated).

Of course it wouldn't verify that this Add-on doesn't do anything (potentially) harmful.

Paul B said:
An admin can do a lot more damage than installing a dodgy add-on if they have the relevant permissions.
Click to expand...
I don't disagree, but it would tighten capabilities (to shoot yourself in the foot) a bit more.
 

Similar threads

K
  • Suggestion Suggestion
Implemented Install Add-on ZIP via CLI
Replies
2
Views
590
Kirby
K
K
  • Suggestion Suggestion
Add support for automated CFBL management
Replies
1
Views
207
markku
markku
K
  • Suggestion Suggestion
Lack of interest Add country / region data
Replies
0
Views
355
Kirby
K
Mouth
  • Suggestion Suggestion
Lack of interest Include Developer field within ACP Add-Ons filtering
Replies
0
Views
378
Mouth
Mouth
S
Add-on Which event manger/calendar for my needs?
Replies
16
Views
1K
FTL
FTL
Top Bottom