mirrors
/
nextcloud
mirror of https://github.com/nextcloud/server.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 1008 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
43884 Commits
414 Branches
Tree: 0a7ab6f66f
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '0a7ab6f66f'
${ noResults }
nextcloud/resources/codesigning/root.crt

root.crt 2.7KB
Raw Normal View History

Add code integrity check This PR implements the base foundation of the code signing and integrity check. In this PR implemented is the signing and verification logic, as well as commands to sign single apps or the core repository. Furthermore, there is a basic implementation to display problems with the code integrity on the update screen. Code signing basically happens the following way: - There is a ownCloud Root Certificate authority stored `resources/codesigning/root.crt` (in this PR I also ship the private key which we obviously need to change before a release :wink:). This certificate is not intended to be used for signing directly and only is used to sign new certificates. - Using the `integrity:sign-core` and `integrity:sign-app` commands developers can sign either the core release or a single app. The core release needs to be signed with a certificate that has a CN of `core`, apps need to be signed with a certificate that either has a CN of `core` (shipped apps!) or the AppID. - The command generates a signature.json file of the following format: ```json { "hashes": { "/filename.php": "2401fed2eea6f2c1027c482a633e8e25cd46701f811e2d2c10dc213fd95fa60e350bccbbebdccc73a042b1a2799f673fbabadc783284cc288e4f1a1eacb74e3d", "/lib/base.php": "55548cc16b457cd74241990cc9d3b72b6335f2e5f45eee95171da024087d114fcbc2effc3d5818a6d5d55f2ae960ab39fd0414d0c542b72a3b9e08eb21206dd9" }, "certificate": "-----BEGIN CERTIFICATE-----MIIBvTCCASagAwIBAgIUPvawyqJwCwYazcv7iz16TWxfeUMwDQYJKoZIhvcNAQEF\nBQAwIzEhMB8GA1UECgwYb3duQ2xvdWQgQ29kZSBTaWduaW5nIENBMB4XDTE1MTAx\nNDEzMTcxMFoXDTE2MTAxNDEzMTcxMFowEzERMA8GA1UEAwwIY29udGFjdHMwgZ8w\nDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANoQesGdCW0L2L+a2xITYipixkScrIpB\nkX5Snu3fs45MscDb61xByjBSlFgR4QI6McoCipPw4SUr28EaExVvgPSvqUjYLGps\nfiv0Cvgquzbx/X3mUcdk9LcFo1uWGtrTfkuXSKX41PnJGTr6RQWGIBd1V52q1qbC\nJKkfzyeMeuQfAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAvF/KIhRMQ3tYTmgHWsiM\nwDMgIDb7iaHF0fS+/Nvo4PzoTO/trev6tMyjLbJ7hgdCpz/1sNzE11Cibf6V6dsz\njCE9invP368Xv0bTRObRqeSNsGogGl5ceAvR0c9BG+NRIKHcly3At3gLkS2791bC\niG+UxI/MNcWV0uJg9S63LF8=\n-----END CERTIFICATE-----", "signature": "U29tZVNpZ25lZERhdGFFeGFtcGxl" } ``` `hashes` is an array of all files in the folder with their corresponding SHA512 hashes (this is actually quite cheap to calculate), the `certificate` is the certificate used for signing. It has to be issued by the ownCloud Root Authority and it's CN needs to be permitted to perform the required action. The `signature` is then a signature of the `hashes` which can be verified using the `certificate`. Steps to do in other PRs, this is already a quite huge one: - Add nag screen in case the code check fails to ensure that administrators are aware of this. - Add code verification also to OCC upgrade and unify display code more. - Add enforced code verification to apps shipped from the appstore with a level of "official" - Add enfocrced code verification to apps shipped from the appstore that were already signed in a previous release - Add some developer documentation on how devs can request their own certificate - Check when installing ownCloud - Add support for CRLs to allow revoking certificates **Note:** The upgrade checks are only run when the instance has a defined release channel of `stable` (defined in `version.php`). If you want to test this, you need to change the channel thus and then generate the core signature: ``` ➜ master git:(add-integrity-checker) ✗ ./occ integrity:sign-core --privateKey=resources/codesigning/core.key --certificate=resources/codesigning/core.crt Successfully signed "core" ``` Then increase the version and you should see something like the following: ![2015-11-04_12-02-57](https://cloud.githubusercontent.com/assets/878997/10936336/6adb1d14-82ec-11e5-8f06-9a74801c9abf.png) As you can see a failed code check will not prevent the further update. It will instead just be a notice to the admin. In a next step we will add some nag screen. For packaging stable releases this requires the following additional steps as a last action before zipping: 1. Run `./occ integrity:sign-core` once 2. Run `./occ integrity:sign-app` _for each_ app. However, this can be simply automated using a simple foreach on the apps folder.
8 years ago
Use proper certificates Ports https://github.com/nextcloud/server/commit/bcf693539be82e872ba4d6cceb1f430a4bb841d9
8 years ago
Use intermediate root authority Danimo proposed to use an intermediate root authority for signing purposes which makes sense considering that we may also sign updates this way in the future. So this uses now an intermediate authority.
8 years ago
Use proper certificates Ports https://github.com/nextcloud/server/commit/bcf693539be82e872ba4d6cceb1f430a4bb841d9
8 years ago
Use newly generated certificate authority
8 years ago
 12345678910111213141516171819202122232425262728293031323334353637383940414243444546 
  1. -----BEGIN CERTIFICATE-----

  2. MIID1zCCAr+gAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwejELMAkGA1UEBhMCREUx

  3. GzAZBgNVBAgMEkJhZGVuLVd1ZXJ0dGVtYmVyZzESMBAGA1UEBwwJU3R1dHRnYXJ0

  4. MRcwFQYDVQQKDA5OZXh0Y2xvdWQgR21iSDEhMB8GA1UEAwwYTmV4dGNsb3VkIFJv

  5. b3QgQXV0aG9yaXR5MB4XDTE2MDYxMjIxMDEwMloXDTQxMDYwNjIxMDEwMlowezEL

  6. MAkGA1UEBhMCREUxGzAZBgNVBAgMEkJhZGVuLVd1ZXJ0dGVtYmVyZzEXMBUGA1UE

  7. CgwOTmV4dGNsb3VkIEdtYkgxNjA0BgNVBAMMLU5leHRjbG91ZCBDb2RlIFNpZ25p

  8. bmcgSW50ZXJtZWRpYXRlIEF1dGhvcml0eTCCASIwDQYJKoZIhvcNAQEBBQADggEP

  9. ADCCAQoCggEBAJzBOypRqAhXeTB3XawW7UzwCxoovpMa0bP8fPzjeMMdCdPlZIYX

  10. MshGHoQ4/VJyODOaq3H1AYRh20Kn/BKNAuVfRzcmY/7M5R09b0ts06l9tIVSbBeK

  11. 5krETjZtpt4crgukzQ6+8QhHE2DBdvPE7rds6EyBaiMRPNuGP1YrtGPQ+hYvajJL

  12. yH3mq609ZZYFVOK9FuSxw5e5YBFp9Z6dNeFjnmEsYytWOhaJ+zPfQaL9JjLwxEM+

  13. BJ1kpf/zblzL6FwUOeXP2+UJ5TAU4xh+9WsvFBR0b6iq77eYTl3eFM1QtaweCA23

  14. OmZZZahCNLmcPA2iMyPZDGZ1mSW+h7+pMJkCAwEAAaNmMGQwHQYDVR0OBBYEFG3q

  15. bqqpNyw8iS0XPv1G7sOeeO10MB8GA1UdIwQYMBaAFAQYAjwHzNjhemMwKilLlT4T

  16. vZHIMBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3

  17. DQEBCwUAA4IBAQCWnDNA14Q+bw7X0S+riMjyTabtgF443eAQIvby9sU2cHtd7qua

  18. p/311+H7gB4F/CE+/CUxdtC5AgaW4vWRL8ge9+6jhYUjvmqdyV5wbBFrLmnqYS4h

  19. PnNWo5cjA7apA6SrIxnJAF8vNCeyEQgHD57VeIlK35S0GpqcouuCSQvCeSjKcojx

  20. 6t/NGHcetWucHAUymzOk11NMyYyEMJ/tfUwn3drqkb4jp4Tqu4ftZt/uioDX8Gc9

  21. Aw+IaEHKfNnh9R//Vqc06Bad04ycI6jK4cVUpC/6I6tzoY6GXwZRbESkKUyLitlX

  22. 3EnBONP0UzEZmCilIwYYfevWGT+NWnpkmey7

  23. -----END CERTIFICATE-----

  24. -----BEGIN CERTIFICATE-----

  25. MIID2jCCAsKgAwIBAgIJAKCc9xL4epmrMA0GCSqGSIb3DQEBCwUAMHoxCzAJBgNV

  26. BAYTAkRFMRswGQYDVQQIDBJCYWRlbi1XdWVydHRlbWJlcmcxEjAQBgNVBAcMCVN0

  27. dXR0Z2FydDEXMBUGA1UECgwOTmV4dGNsb3VkIEdtYkgxITAfBgNVBAMMGE5leHRj

  28. bG91ZCBSb290IEF1dGhvcml0eTAeFw0xNjA2MTIyMDU4MzVaFw00MTA2MDYyMDU4

  29. MzVaMHoxCzAJBgNVBAYTAkRFMRswGQYDVQQIDBJCYWRlbi1XdWVydHRlbWJlcmcx

  30. EjAQBgNVBAcMCVN0dXR0Z2FydDEXMBUGA1UECgwOTmV4dGNsb3VkIEdtYkgxITAf

  31. BgNVBAMMGE5leHRjbG91ZCBSb290IEF1dGhvcml0eTCCASIwDQYJKoZIhvcNAQEB

  32. BQADggEPADCCAQoCggEBAJuTxu0LpRExcpYJwMxc5N+YbEe7WVPIsLtKUNCXMfkc

  33. aPlTpVydNi5zKQDpLQuHm5RE9u+L3sTck8yVj8DkgX9QfuRTbvg01paV+5ILY7Qn

  34. 47E8eHq6tf6MF0W20OxNRjcUCEoRA59AZV9FxkVGHniBx17Upk0BQXlZHViHZ9Ey

  35. 2Zhsw9ZetT0VCv9UGuN0Rr6T6fzgW84HoDWsesG7UwEpnct/hQf20w/iIhZspew7

  36. RAHJZTOYnNSaBUnyiCf58SaOyxvmdfseItjMuE1FBR6bTWkLQ/a/1xH2FCk0izm5

  37. 1foZF0Ya0fAzVHwBkOVZeIuswjvuqgp/TkB6W0i73aUCAwEAAaNjMGEwHQYDVR0O

  38. BBYEFAQYAjwHzNjhemMwKilLlT4TvZHIMB8GA1UdIwQYMBaAFAQYAjwHzNjhemMw

  39. KilLlT4TvZHIMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMA0GCSqG

  40. SIb3DQEBCwUAA4IBAQCBv40RAXMtMah61q6wYATw4q4cvIKLjKoyApHPHZhQnWwe

  41. VLv/D2a26A8VwDNQ1LGv4NzzIDcpWz+pk+rXMNnyjXwr0AtKM2Vg07yKqkZB9J1c

  42. duYm0j8FLdCHXIjRucgMA/wiwR4mB9PVGtQfCvUQl2Hfkiagkw31llGCXugQPsnh

  43. vhfMWxkdVFAnzDoATWe2SDuuyyd5Sl4/LKn8HEysusaYCMpPDP+seZGjA0ukZ3F+

  44. pO0PlAEb3OypRavz8iR8s+VbE0wdAX1mPByx8SU8Wkq76p4G261PvTrfYKnreU8z

  45. b47G5k8BAiPCtNze/Ihul6lpLK6yk+FRXcZCl1sg

  46. -----END CERTIFICATE-----