Enhance signature algorithm for code signatures #24727
Conversation
rullzer
requested review from
nickvergessen,
ChristophWurst and
juliushaertl
rullzer
force-pushed
the
enh/signature_alg
branch
from
17b1392
to
7253839
Compare
rullzer
added
3. to review
|
Setting to 22, otherwise already published apps will fail hard on install |
This comment has been minimized.
This comment has been minimized.
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
But also check it if the new signatures are there Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
Signed-off-by: Joas Schilling <coding@schilljs.com>
nickvergessen
force-pushed
the
enh/signature_alg
branch
from
73389ed
to
25df593
Compare
This comment has been minimized.
This comment has been minimized.
|
Conflicts and 22, setting back to developing |
nickvergessen
added
2. developing
This comment has been minimized.
This comment has been minimized.
|
|
||
| if ($forceHash && isset($signatureData['signatures'][$forceHash])) { | ||
| // Check the sha512 hash | ||
| $rsa->setHash($forceHash); |
There was a problem hiding this comment.
That scares me a bit because it could eventually lead to something like https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/, in which there is a null algorithm or something eventually.
Can we instead pass a version identifier (e.g. 2 == SHA512)?
| $minVersion = $this->infoParser->getMinVersion($path . '/appinfo/info.xml'); | ||
| $forceHash = null; | ||
| if ($minVersion >= 22) { | ||
| $forceHash = 'sha512'; |
There was a problem hiding this comment.
Can you elaborate the reason for the hardcoding here? :)
|
@LukasReschke do you want/can to take over? Or else we move for 23 :) |
|
-> 23. I feel it's a bit late for this change now. |
|
As there is no feedback since a while I will close this ticket. |
No description provided.