Akihiro Harai

I investigated this issue with my colleague and found it to be quite complicated.

First, the release flow had an issue. It seems that version 2.4.2 was released following these steps:

1. A commit was made to trunk. At this point, the vendor directory had not been deleted: https://plugins.trac.www.ads-software.com/changeset/3051669/facebook-auto-publish
2. Since the readme.txt at step 1 listed Stable Tag: 2.4.2, the WordPress repository generated the checksums based on the contents of trunk.
3. Then, a commit, which removed vendor, was made to tags/2.4.2: https://plugins.trac.www.ads-software.com/changeset/3051723/facebook-auto-publish
4. When users (like us) download version 2.4.2, the contents of zip is based on the contents of tags/2.4.2 created in step 3, while the vendor directory remains in the checksum.

As a result, when running wp plugin verify-checksums, it throws an error because the vendor directory is missing. It seems that this issue cannot be avoided with the current version 2.4.2. In future updates, it may be necessary to take one of the following measures:

• Commit to both trunk and tags/2.4.3 simultaneously. This can be automated using GitHub Actions: https://github.com/10up/action-wordpress-plugin-deploy
• Ensure that the contents of the trunk and tags/2.4.3 are identical.

Second, the design of checksum feature itself has a problem. The plugin repository is created on top of SVN. Since SVN doesn’t have immutable tag feature, modifying a release AFTER publishing is not technically forbidden. And it makes the checksum feature strange. The current implementation of wp plugin verify-checksums outputs an error when a missing file is found. But there’s a discussion that that error shouldn’t be output. (https://meta.trac.www.ads-software.com/ticket/6275) The reason is that it is allowed to delete a file after release. That is, we cannot use checksum as integrity check. On the other hand, there are WordPress users and hosting services who currently use it as integrity checker just like us.

The current version of the plugin, as published on www.ads-software.com , no longer includes the vendor directory, as we’ve switched to using wp_remote calls for the API.

That’s right. And the issue here is the checksums expect vendor directory to exist. That’s what the output of wp plugin verify-checksums says. Did you change the content of the version 2.4.2 AFTER its release?

In my company, we use wp plugin verify-checksums to detect tampering. Incorrect checksums hide REAL tampering. We would like you to release a new version with correct checksums.

I have the same issue now.