Summary: WordPress core developers recently discussed removing support for code signing in WordPress core, included with the WordPress 5.2 release. The discussion suggested implementing SSL verification & hashes to verify code integrity instead. We chat about the history behind the vulnerability found by Wordfence's Matt Barry, which motivated the addition of code signing. We review several supply chain attacks, discussing how SSL & hashes wouldn't protect against a sophisticated attack on WordPress core servers.
