Plugin Signing

If you have gone through the process of publishing a plugin to our store, you had to create keys to sign your plugin. This ensures that your build process outputs a valid signature on each release. You can see that signature by looking at the attached files of a given release, it contains a .sig file.

Why signing

The digital signatures are built using public-key cryptography. This means that a private key is used to generate the signature and a public is used to verify it. That allows users to authenticate the provenance of a given plugin.

In fact, Caido does that automatically when a user downloads a plugin from the store. We use the public key set in the store plugin_packages.json to verify the signature of that particular plugin release. If the signature is valid, then we have a higher level of confience that the plugin is genuine and we proceed with the installation.

Obviously this is not a perfect heuristic since a plugin author could go rogue or could disclose its private key by accident, but it is layer of defense to prevent malicious plugins from getting into the store.

Supported keys

Caido uses Edwards-curve Digital Signature Algorithm (EdDSA) with the Ed25519 scheme. We use this scheme throughout the Caido ecosystem.

INFO

We do NOT support any other digital signature scheme. If you try to use another, the signatures will be rejected by Caido.

Best practices

Here are the best practices to consider as a plugin developer:

• Use one key pair per plugin, that reduces the impact if your key is leaked.
• Store the private key in a secure location, we recommend Github Actions Secrets.
• Always encrypt your private key and don't leave it as plain-text on your computer, think of it as a password

WARNING

If you accept contributions on your Github repository, make sure you are careful around changes to the Github Actions as those could leak your key. See the tips of Github on the subject.