Signature system for plugins

[oSumAtrIX]

Why

Revenge has first-party support for plugins. Plugins can execute arbitrary code. A malicious actor can embed malware into the plugin.

Solution

Add a signature system to verify plugins. The author's signature must, and ours should accompany each plugin.
The author's signature is so the user can ensure the plugin was signed off by someone they trust. Our signature is needed so the user can verify that we trust the plugin and that it is secure.

How it works

The system checks the signatures and executes the plugin under the following conditions:

1. Both signatures are valid
2. Only the author's signature is present, and the user trusts the author

If no signature is present or any of the two is invalid, the likelihood of tampering with the plugin is high, and the plugin should not be executed. If the author's signature is present but is not trusted yet, the user must first agree to trust the author without our assurance. If our signature is present but the author's signature is missing or invalid, we made a mistake as we trusted a plugin that the author has not signed off on.

By default, the environment should configure the keys and revenge trusts. Our environment configures our keys. Another environment, such as a fork or a local environment, would configure its keys.

[PalmDevs]

Tasks left:

• Ability to trust/remember keys
• Ability to untrust keys
• UI to manage keys
  This would allow the user to trust/untrust keys, configure if plugins can auto-update when signed with a specific key, and if a specific key can be used to trust other keys using Certifications.
• Plugin source.zip hash check
  Hash can be saved in ExternalPluginMetadata