A while ago, someone observed, on slashdot.org, "<i>If wordpress.org is hacked, again [wordpress.org], their one-click upgrade feature means instant ownage for all WordPress blogs everywhere.</i>". Someone responded to that by saying this:
Haven't they ever heard of signed patches?
Why can't they make the one-click upgrade verify a GPG signature before performing the installation of the code contained in the upgrade file?
My question is... why doesn't WordPress do this? Here's a class WordPress could use to do this:
The wordpress devs sign with their private (encrypted) key - a key that could only be obtained through having their own personal computer hacked - and wordpress then verifies that the release was signed with the private key with Crypt_RSA. To make it even harder for an attacker to get the private key secret sharing could be employed.