Call for action – Help us test Checksum Verification

We’ve been working on building a first usable implementation of the plugin checksum verification project. Now we need your help to test the current implementation.

Implementation Details

The WordPress.org infrastructure now calculates MD5 and SHA-256 checksums for all plugin files and stores them in a publically accessible way. You can find a specification of the current endpoint to retrieve the checksums here.

The wp checksum plugin command we’ve built goes through some or all of the plugins installed on a machine, downloads the checksums for each plugin, and then verifies the downloaded checksums against freshly generated ones.

We now need help testing this command to make sure we weed out all edge cases and that its output serves all expected scripting requirements.

Right now, the output on STDOUT will provide you with a list of checksum mismatches or added/removed files. STDERR will contain warnings about skipped plugins. The exit code will return 0 if all compared checksums were valid, and 1 otherwise. Any feedback on whether that is a good approach, or on alternative approaches for the output are welcome!

Let us know as well when a plugin’s checksums is not found that you would expect to be found in the official plugin repository. Note: Right now, only the checksums for the latest versions of every plugin have been calculated, older versions will be added later.

How To Test

The implemented command can be found in the plugin-checksums branch of the wp-cli/checksum-command repository.

You can easily install the version to test through the following command:

wp package install wp-cli/checksum-command:dev-plugin-checksums

To get back to the stable bundled command later on, just type the following command:

wp package uninstall wp-cli/checksum-command

The easiest way to run the test is to enter the root folder of an existing WordPress site and run the following command:

wp checksum plugin --all

The command supports several formats, like JSON or CSV, which you can generate through the --format=<format> parameter.

Note: the output will be most useful right now if all plugins are up-to-date (as older checksums have not been calculated yet), so you might want to run a wp plugin update --all against local sites you test. Obviously, don’t do this without backups on production sites.

Please report any feedback or issues you find in the GitHub issue tracker of the checksum command.