[Security] Credential & plugin trust — safe secret handling and plugin signature verification before dlopen #150
Reference in New Issue
Block a user
No description provided.
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Trust boundaries for credentials and external code: safe eval_password spawning + passphrase zeroization, and a plugin signature/checksum trust model before dlopen.
Part of #144. Decision legend: M must-do, C could-do, W won't-do (this cycle); investigate = verify the problem is real / scope it before implementing.
Subtasks & findings
T13 — Secret handling (eval_password PATH; passphrase wipe)
Owner: Either · Decision: M / C · Effort: ~0.5–1d
Drop G_SPAWN_SEARCH_PATH; add explicit_bzero wipe helper.
account.c:149account.c:184-185; session.c:581,591; gpg.c:79,104,108T16 — Plugin trust model (verify before dlopen + doc)
Owner: Either · Decision: M / C · Effort: ~3–4d
Signature/checksum verify before dlopen, https+VERIFY, perms, trust-boundary doc.
cmd_funcs.c:7019; http_download.c:120-156; plugins.c:198-218; common.c:234-243no plugin/AI supply-chain trust-boundary docChecklist
T13 — Secret handling (eval_password PATH; passphrase wipe)
T16 — Plugin trust model (verify before dlopen + doc)