When your WordPress site installs an automatic update, from version 5.2 onwards, it will first check for the existence of an x-content-signature header. If one isn’t provided by the update server, your WordPress site will instead query for a filenamehere.sig file.

No matter how it’s delivered, the signatures are calculated using Ed25519 of the SHA384 hash of the file’s contents. The signature is base64-encoded for safe transport. The signing keys used to release updates are managed by the WordPress.org core development team.

The verification key for the initial release of WordPress 5.2 is fRPyrxb/MvVLbdsYi+OOEv4xc+Eqpsj+kkAS6gNOkI0= (expires April 1, 2021). (For the sake of specificity: Signing key here means Ed25519 secret key, while verification key means Ed25519 public key.)

With the necessary information in hand, your WordPress site will then verify that the signature is valid.

What this all means is that your WordPress site installation will check for a cryptographic key to authenticate if the downloaded update to core WordPress files are indeed the real ones provided by the WordPress developers.

This is an extremely important development because in the remote chance that the WordPress  update servers get compromised by intruders the hackers will not be able to launch a fake update to trick your site into downloading and installing malware on your site.

For now Signature Verification will be provided to WP core files and not to plugin or theme updates but in future versions this same mechanism will be introduced for plugins and themes.

As of now, since it’s a new feature, the signatures will soft fail if it detects it’s not valid, meaning it will still work if it’s not validly signed. In future updates this will change to a hard fail. This is to possibly mitigate any problems as the system transitions to this safer mechanism.

As always all WordPress sites hosted with DistroServer that are not on a version lock have been automatically updated to the latest version.