Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Certificate is not valid #4852

Closed
pbek opened this issue May 13, 2017 · 5 comments
Closed

Certificate is not valid #4852

pbek opened this issue May 13, 2017 · 5 comments
Labels
security
Milestone
Nextcloud 12.0

Comments

@pbek
Copy link
Member

pbek commented May 13, 2017

Hello my friends at NC. 馃樃

Steps to reproduce

  1. install NC 12 from git master branch
  2. install ownbackup (or qownnotesapi) from NC app store
  3. execute php occ integrity:check-app ownbackup

Expected behaviour

No error should be thrown. :)

Actual behaviour

  - EXCEPTION:
    - class: OC\IntegrityCheck\Exceptions\InvalidSignatureException
    - message: Certificate is not valid.

If you repeat the same test with NC 11, no error will be shown.

I got the certificate for signing the app with occ integrity:sign-app from ownCloud back in the days where NC was not "born" and I still need that certificate for signing the app for ownCloud. I think it is not very desirable to maintain two different releases of an app for oC and NC because of a certificate.

Was it really necessary to disallow the oC certificate in 5a6e29e (if that was the point when it happend)?

Happy weekend and kind regards from Graz.
pbek referenced this issue May 13, 2017
@nickvergessen
Remove ownCloud Root Authority as per todo
5a6e29e 
Signed-off-by: Joas Schilling <coding@schilljs.com>
@MorrisJobke
Copy link
Member

cc @LukasReschke

@nickvergessen nickvergessen added this to the Nextcloud 12.0 milestone May 15, 2017
@LukasReschke
Copy link
Member

For security reasons, we had to stop shipping another root authority not under our control. If you want to use the OCC code signing tool you need to either use the Nextcloud issued certificate or none at all. (updates from the Nextcloud app store are protected using a more secure approach than the integrity checker, we check the whole TAR file)

Sorry that I don't have better news here. The easiest would probably be to have two bundles one with code integrity check file in /appinfo/signatures.json and one without code integrity check file.

@pbek
Copy link
Member Author

pbek commented May 15, 2017
edited

@LukasReschke, so in future all app developers have to maintain a release with an /appinfo/signatures.json, that was signed by ownCloud and a 2nd release without /appinfo/signatures.json for Nextcloud. Is that correct? That also means installs from git directly will not work any more...

When I remove remove the /appinfo/signatures.json and execute php occ integrity:check-app ownbackup I get:

  - EXCEPTION:
    - class: OC\IntegrityCheck\Exceptions\InvalidSignatureException
    - message: Signature data not found.

@pbek
Copy link
Member Author

pbek commented May 15, 2017

...or is a the integrity check not mandatory in NC 12 when the app was downloaded from the NC store?

@pbek
Copy link
Member Author

pbek commented May 17, 2017

ping @LukasReschke

This was referenced May 19, 2017
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
security
Projects
None yet
Milestone
Nextcloud 12.0
Development

No branches or pull requests
4 participants
@nickvergessen @MorrisJobke @LukasReschke @pbek