Verification of add-ons

We use digital signatures to ensure the security and authenticity of communication between the Upgates platform and your add-on. 

What is a digital signature?

A digital signature is a way to verify that the data:

• really came from you,
• was not modified in any way,
• is up-to-date and trustworthy.

We sign the data with a private key and you can check it with a  public key method OPENSSL_ALGO_SHA256. You can find the signature in each request body under the key  signature_v2.

When and what is signed?

Every important request you send to your add-on contains:

• Own data (e.g. information about add-on activation),
• The signature_v2 key with a digital signature.

Examples of signed events:

• Add-on activation
• Deactivating the add-on
• Opening the add-on
• Versification of add-on

Additional information

• The  current_admin_language is excluded from the signed data.
• You can find the individual signed data for each endpoint.
• We recommend always loading the current  public key when verifying the signature and do not store it for later use. The reason is the possibility of changing keys.

Example of signature verification in PHP

$data = implode(";",[...]);
$signature = 'a0e0a3e7689bd4c80e4d6ffcccb05235b864e1d0';
$signaturePublicKey = file_get_contents("https://files.upgates.com/addons/signature/api.signature.pub.key");
$verify = openssl_verify($data, base64_decode($signature), $signaturePublicKey, OPENSSL_ALGO_SHA256); 

Recommendations for developers

• Do not store the public key permanently. Load it from the official URL for each request.
• Carefully follow the order and list of signed items - the specification can be found at each endpoint.
• Always perform signature validation before processing the request.