1 of 32

Automatic Updates for Drupal

How we built a secure signing infrastructure

2 of 32

Title

Subtitle

one

3 of 32

⚠️ Only works in some cases

Not compatible with Composer-based installations

That’s phase 2

(we’re looking for sponsors)

4 of 32

3 new APIs provided by Drupal.org

Public Service Announcements (PSA)
Release contents hashes
In-place-update generation

https://www.drupal.org/docs/8/update/automatic-updates#s-drupalorg-infrastructur e

5 of 32

Will I need to update?

Public Service Announcement (PSA) feed

6 of 32

7 of 32

$ curl https://updates.drupal.org/psa.json

[]

8 of 32

$ curl https://updates.drupal.org/psa-this-is-only-a-test.json | json_pp

[

{

"link" : "https://www.drupal.org/psa-2019-05-07",

"type" : "core",

"is_psa" : "1",

"project" : "drupal",

"insecure" : [

"4.7.0-beta3",

…

"8.7.0",

"8.7.4"

],

"title" : "Drupal 7 and 8 release on May 8th, 2019 - PSA-2019-05-07",

"pubDate" : "2019-09-20T22:09:16+00:00"

},

{

"link" : "https://www.drupal.org/psa-2019-09-04",

"type" : "module",

"is_psa" : "1",

"title" : "Various 3rd Party Vulnerabilities - PSA-2019-09-04",

"pubDate" : "2019-09-12T21:35:55+00:00",

"insecure" : [],

"project" : "securitydrupalorg"

}

]

9 of 32

10 of 32

Can I update?

Release contents hashes

11 of 32

12 of 32

$ curl -s https://updates.drupal.org/release-hashes/drupal/8.8.0/contents-sha256sums.csig

untrusted comment: verify with root.pub at https://drupal.org/keys/root.pub

RWQVj5RBijXj1eb5v30F/ByhTiIjD79Opszr+iYhMEezseQ6tHfk4q+PnLx6PkcjLX/4fBA5NozcvhIqvcNEkJBjQeJhIa2PSwM=

2020-04-06

untrusted comment: Intermediate generated Fri Feb 21 18:24:19 UTC 2020 public key

RWT4ngGZWW+U0LFbgsMxRxnYy9JfyqfZG+aXD772yDEEMkwMw+JduZq8

untrusted comment: verify with /etc/drupal-signing-oracle/intermediate.pub

RWT4ngGZWW+U0NO6ouu/HhxqQjOOCKM5b1gnPiII8KtWknTsbxomUYDGgPfxpDgy25fcTJkuIaHUAPzFk0jTe8KAlqDOl+YGcgA=

SHA256 (.csslintrc) = 854f3b28a1784fb3708eb1e23b149c3e4b17fbefc8e052d8d12a76dcc6ee850c

SHA256 (.editorconfig) = c33c5a53af1adcda475bfcb73dbf6fd6f84a5331e282a5fdf2701c8e250f34fc

SHA256 (.eslintignore) = a3c56de486f19f59151b3c040ac0ac08cbaa914d2ebe7b45acf1f9aa9c3ac317

SHA256 (.eslintrc.json) = 2fde8917f7d954158481a2f7c0c950c657616bbb6f966fdc2378aef953cb2390

SHA256 (.gitattributes) = a38957534785bccb216692b4fab83b54521e64a853b42e4fccb469b275f9156a

SHA256 (.ht.router.php) = 26e222711b21110c7cbaacfe4a7b3cee9d338e3e45d79f1fae1f7a7cf3225275

SHA256 (.htaccess) = 2d9cf0ccd5d826114a19b86c76c73c7839e741e9058ff3ab2e704a56445a990d

SHA256 (INSTALL.txt) = a4918d68ad52384f16b2e5b296e1c7a4d905d406d8b7ab40847fa79f4cc075f7

SHA256 (README.txt) = b4b1d3c6930f412587233a497c4e82eea4325d30cf7e88cc7d5803317279ce8f

SHA256 (autoload.php) = 62a0004e7bd15a89ae6b7e198590279745af66c8a0f252ae3bdc0581624537aa

SHA256 (composer.json) = ab68687fec0984d459a04d0c09698d91b2c63b0e8c634b9d1abeedf7ab148b0f

SHA256 (composer.lock) = 80ee8d4efdb099e2a18829f75fb75af0f950ecc6f940bb0f7d417a397c64033c

SHA256 (composer/Composer.php) = 726bfc0ebb4176529877f30402f1891d1838de254efe6efad47a6f9ef289cbfc

SHA256 (composer/Generator/Builder/DrupalCoreRecommendedBuilder.php) = f95e3ca2ba63ea6f9e368cea0ba497b8615a4bfd0b9f49db6c041307250f55b1

SHA256 (composer/Generator/Builder/DrupalDevDependenciesBuilder.php) = b270cd790d427c58bcf2af86314d729f3e3cfdbd32e5606ece514d9263b2e561

SHA256 (composer/Generator/Builder/DrupalPackageBuilder.php) = 79a7c5d36726d17a6ead5d36a4b48935c139024e1b3d830856e93ed9a4b7e9eb

SHA256 (composer/Generator/Builder/DrupalPinnedDevDependenciesBuilder.php) = 3e6154619105d59b25f379db25534b3ec82a848169399ed2cc5dfa4431fcfbac

13 of 32