Add code integrity check

This PR implements the base foundation of the code signing and integrity check. In this PR implemented is the signing and verification logic, as well as commands to sign single apps or the core repository.

Furthermore, there is a basic implementation to display problems with the code integrity on the update screen.

Code signing basically happens the following way:

- There is a ownCloud Root Certificate authority stored `resources/codesigning/root.crt` (in this PR I also ship the private key which we obviously need to change before a release :wink:). This certificate is not intended to be used for signing directly and only is used to sign new certificates.
- Using the `integrity:sign-core` and `integrity:sign-app` commands developers can sign either the core release or a single app. The core release needs to be signed with a certificate that has a CN of `core`,  apps need to be signed with a certificate that either has a CN of `core` (shipped apps!)  or the AppID.
- The command generates a signature.json file of the following format:
```json
{
    "hashes": {
        "/filename.php": "2401fed2eea6f2c1027c482a633e8e25cd46701f811e2d2c10dc213fd95fa60e350bccbbebdccc73a042b1a2799f673fbabadc783284cc288e4f1a1eacb74e3d",
        "/lib/base.php": "55548cc16b457cd74241990cc9d3b72b6335f2e5f45eee95171da024087d114fcbc2effc3d5818a6d5d55f2ae960ab39fd0414d0c542b72a3b9e08eb21206dd9"
    },
    "certificate": "-----BEGIN CERTIFICATE-----MIIBvTCCASagAwIBAgIUPvawyqJwCwYazcv7iz16TWxfeUMwDQYJKoZIhvcNAQEF\nBQAwIzEhMB8GA1UECgwYb3duQ2xvdWQgQ29kZSBTaWduaW5nIENBMB4XDTE1MTAx\nNDEzMTcxMFoXDTE2MTAxNDEzMTcxMFowEzERMA8GA1UEAwwIY29udGFjdHMwgZ8w\nDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANoQesGdCW0L2L+a2xITYipixkScrIpB\nkX5Snu3fs45MscDb61xByjBSlFgR4QI6McoCipPw4SUr28EaExVvgPSvqUjYLGps\nfiv0Cvgquzbx/X3mUcdk9LcFo1uWGtrTfkuXSKX41PnJGTr6RQWGIBd1V52q1qbC\nJKkfzyeMeuQfAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAvF/KIhRMQ3tYTmgHWsiM\nwDMgIDb7iaHF0fS+/Nvo4PzoTO/trev6tMyjLbJ7hgdCpz/1sNzE11Cibf6V6dsz\njCE9invP368Xv0bTRObRqeSNsGogGl5ceAvR0c9BG+NRIKHcly3At3gLkS2791bC\niG+UxI/MNcWV0uJg9S63LF8=\n-----END CERTIFICATE-----",
    "signature": "U29tZVNpZ25lZERhdGFFeGFtcGxl"
}
```
`hashes` is an array of all files in the folder with their corresponding SHA512 hashes (this is actually quite cheap to calculate), the `certificate` is the  certificate used for signing. It has to be issued by the ownCloud Root Authority and it's CN needs to be permitted to perform the required action. The `signature` is then a signature of the `hashes` which can be verified using the `certificate`.

Steps to do in other PRs, this is already a quite huge one:
- Add nag screen in case the code check fails to ensure that administrators are aware of this.
- Add code verification also to OCC upgrade and unify display code more.
- Add enforced code verification to apps shipped from the appstore with a level of "official"
- Add enfocrced code verification to apps shipped from the appstore that were already signed in a previous release
- Add some developer documentation on how devs can request their own certificate
- Check when installing ownCloud
- Add support for CRLs to allow revoking certificates

**Note:** The upgrade checks are only run when the instance has a defined release channel of `stable` (defined in `version.php`). If you want to test this, you need to change the channel thus and then generate the core signature:

```
➜  master git:(add-integrity-checker) ✗ ./occ integrity:sign-core --privateKey=resources/codesigning/core.key --certificate=resources/codesigning/core.crt
Successfully signed "core"
```

Then increase the version and you should see something like the following:

![2015-11-04_12-02-57](https://cloud.githubusercontent.com/assets/878997/10936336/6adb1d14-82ec-11e5-8f06-9a74801c9abf.png)

As you can see a failed code check will not prevent the further update. It will instead just be a notice to the admin. In a next step we will add some nag screen.

For packaging stable releases this requires the following additional steps as a last action before zipping:
1. Run `./occ integrity:sign-core` once
2. Run `./occ integrity:sign-app` _for each_ app. However, this can be simply automated using a simple foreach on the apps folder.

10 files changed, 802 insertions, 3 deletions

diff --git a/lib/private/integritycheck/checker.php b/lib/private/integritycheck/checker.php
new file mode 100644
index 00000000000..edfe6b082e7
--- /dev/null
+++ b/lib/private/integritycheck/checker.php
@@ -0,0 +1,449 @@
+<?php
+/**
+ * @author Lukas Reschke <lukas@owncloud.com>
+ *
+ * @copyright Copyright (c) 2015, ownCloud, Inc.
+ * @license AGPL-3.0
+ *
+ * This code is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License, version 3,
+ * as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License, version 3,
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>
+ *
+ */
+
+namespace OC\IntegrityCheck;
+
+use OC\IntegrityCheck\Exceptions\InvalidSignatureException;
+use OC\IntegrityCheck\Helpers\AppLocator;
+use OC\IntegrityCheck\Helpers\EnvironmentHelper;
+use OC\IntegrityCheck\Helpers\FileAccessHelper;
+use OC\Integritycheck\Iterator\ExcludeFileByNameFilterIterator;
+use OC\IntegrityCheck\Iterator\ExcludeFoldersByPathFilterIterator;
+use OCP\App\IAppManager;
+use OCP\ICache;
+use OCP\ICacheFactory;
+use OCP\IConfig;
+use phpseclib\Crypt\RSA;
+use phpseclib\File\X509;
+
+/**
+ * Class Checker handles the code signing using X.509 and RSA. ownCloud ships with
+ * a public root certificate certificate that allows to issue new certificates that
+ * will be trusted for signing code. The CN will be used to verify that a certificate
+ * given to a third-party developer may not be used for other applications. For
+ * example the author of the application "calendar" would only receive a certificate
+ * only valid for this application.
+ *
+ * @package OC\IntegrityCheck
+ */
+class Checker {
+	const CACHE_KEY = 'oc.integritycheck.checker';
+	/** @var EnvironmentHelper */
+	private $environmentHelper;
+	/** @var AppLocator */
+	private $appLocator;
+	/** @var FileAccessHelper */
+	private $fileAccessHelper;
+	/** @var IConfig */
+	private $config;
+	/** @var ICache */
+	private $cache;
+	/** @var IAppManager */
+	private $appManager;
+
+	/**
+	 * @param EnvironmentHelper $environmentHelper
+	 * @param FileAccessHelper $fileAccessHelper
+	 * @param AppLocator $appLocator
+	 * @param IConfig $config
+	 * @param ICacheFactory $cacheFactory
+	 * @param IAppManager $appManager
+	 */
+	public function __construct(EnvironmentHelper $environmentHelper,
+								FileAccessHelper $fileAccessHelper,
+								AppLocator $appLocator,
+								IConfig $config = null,
+								ICacheFactory $cacheFactory,
+								IAppManager $appManager = null) {
+		$this->environmentHelper = $environmentHelper;
+		$this->fileAccessHelper = $fileAccessHelper;
+		$this->appLocator = $appLocator;
+		$this->config = $config;
+		$this->cache = $cacheFactory->create(self::CACHE_KEY);
+		$this->appManager = $appManager;
+	}
+
+	/**
+	 * Enumerates all files belonging to the folder. Sensible defaults are excluded.
+	 *
+	 * @param string $folderToIterate
+	 * @return \RecursiveIteratorIterator
+	 */
+	private function getFolderIterator($folderToIterate) {
+		$dirItr = new \RecursiveDirectoryIterator(
+			$folderToIterate,
+			\RecursiveDirectoryIterator::SKIP_DOTS
+		);
+		$excludeGenericFilesIterator = new ExcludeFileByNameFilterIterator($dirItr);
+		$excludeFoldersIterator = new ExcludeFoldersByPathFilterIterator($excludeGenericFilesIterator);
+
+		return new \RecursiveIteratorIterator(
+			$excludeFoldersIterator,
+			\RecursiveIteratorIterator::SELF_FIRST
+		);
+	}
+
+	/**
+	 * Returns an array of ['filename' => 'SHA512-hash-of-file'] for all files found
+	 * in the iterator.
+	 *
+	 * @param \RecursiveIteratorIterator $iterator
+	 * @param string $path
+	 * @return array Array of hashes.
+	 */
+	private function generateHashes(\RecursiveIteratorIterator $iterator,
+									$path) {
+		$hashes = [];
+
+		$baseDirectoryLength = strlen($path);
+		foreach($iterator as $filename => $data) {
+			/** @var \DirectoryIterator $data */
+			if($data->isDir()) {
+				continue;
+			}
+
+			$relativeFileName = substr($filename, $baseDirectoryLength);
+
+			// Exclude signature.json files in the appinfo and root folder
+			if($relativeFileName === '/appinfo/signature.json') {
+				continue;
+			}
+			// Exclude signature.json files in the appinfo and core folder
+			if($relativeFileName === '/core/signature.json') {
+				continue;
+			}
+
+			$hashes[$relativeFileName] = hash_file('sha512', $filename);
+		}
+		return $hashes;
+	}
+
+	/**
+	 * Creates the signature data
+	 *
+	 * @param array $hashes
+	 * @param X509 $certificate
+	 * @param RSA $privateKey
+	 * @return string
+	 */
+	private function createSignatureData(array $hashes,
+										 X509 $certificate,
+										 RSA $privateKey) {
+		ksort($hashes);
+
+		$privateKey->setSignatureMode(RSA::SIGNATURE_PSS);
+		$privateKey->setMGFHash('sha512');
+		$signature = $privateKey->sign(json_encode($hashes));
+
+		return [
+				'hashes' => $hashes,
+				'signature' => base64_encode($signature),
+				'certificate' => $certificate->saveX509($certificate->currentCert),
+			];
+	}
+
+	/**
+	 * Write the signature of the specified app
+	 *
+	 * @param string $appId
+	 * @param X509 $certificate
+	 * @param RSA $privateKey
+	 * @throws \Exception
+	 */
+	public function writeAppSignature($appId,
+									  X509 $certificate,
+									  RSA $privateKey) {
+		$path = $this->appLocator->getAppPath($appId);
+		$iterator = $this->getFolderIterator($path);
+		$hashes = $this->generateHashes($iterator, $path);
+		$signature = $this->createSignatureData($hashes, $certificate, $privateKey);
+		$this->fileAccessHelper->file_put_contents(
+				$path . '/appinfo/signature.json',
+				json_encode($signature, JSON_PRETTY_PRINT)
+		);
+	}
+
+	/**
+	 * Write the signature of core
+	 *
+	 * @param X509 $certificate
+	 * @param RSA $rsa
+	 */
+	public function writeCoreSignature(X509 $certificate,
+									   RSA $rsa) {
+		$iterator = $this->getFolderIterator($this->environmentHelper->getServerRoot());
+		$hashes = $this->generateHashes($iterator, $this->environmentHelper->getServerRoot());
+		$signatureData = $this->createSignatureData($hashes, $certificate, $rsa);
+		$this->fileAccessHelper->file_put_contents(
+				$this->environmentHelper->getServerRoot() . '/core/signature.json',
+				json_encode($signatureData, JSON_PRETTY_PRINT)
+		);
+	}
+
+	/**
+	 * Verifies the signature for the specified path.
+	 *
+	 * @param string $signaturePath
+	 * @param string $basePath
+	 * @param string $certificateCN
+	 * @return array
+	 * @throws InvalidSignatureException
+	 * @throws \Exception
+	 */
+	private function verify($signaturePath, $basePath, $certificateCN) {
+		$signatureData = json_decode($this->fileAccessHelper->file_get_contents($signaturePath), true);
+		if(!is_array($signatureData)) {
+			throw new InvalidSignatureException('Signature data not found.');
+		}
+
+		$expectedHashes = $signatureData['hashes'];
+		ksort($expectedHashes);
+		$signature = base64_decode($signatureData['signature']);
+		$certificate = $signatureData['certificate'];
+
+		// Check if certificate is signed by ownCloud Root Authority
+		$x509 = new \phpseclib\File\X509();
+		$rootCertificatePublicKey = $this->fileAccessHelper->file_get_contents($this->environmentHelper->getServerRoot().'/resources/codesigning/root.crt');
+		$x509->loadCA($rootCertificatePublicKey);
+		$x509->loadX509($certificate);
+		if(!$x509->validateSignature()) {
+			throw new InvalidSignatureException('Certificate is not valid.');
+		}
+		// Verify if certificate has proper CN. "core" CN is always trusted.
+		if($x509->getDN(X509::DN_OPENSSL)['CN'] !== $certificateCN && $x509->getDN(X509::DN_OPENSSL)['CN'] !== 'core') {
+			throw new InvalidSignatureException(
+					sprintf('Certificate is not valid for required scope. (Requested: %s, current: %s)', $certificateCN, $x509->getDN(true))
+			);
+		}
+
+		// Check if the signature of the files is valid
+		$rsa = new \phpseclib\Crypt\RSA();
+		$rsa->loadKey($x509->currentCert['tbsCertificate']['subjectPublicKeyInfo']['subjectPublicKey']);
+		$rsa->setSignatureMode(RSA::SIGNATURE_PSS);
+		$rsa->setMGFHash('sha512');
+		if(!$rsa->verify(json_encode($expectedHashes), $signature)) {
+			throw new InvalidSignatureException('Signature could not get verified.');
+		}
+
+		// Compare the list of files which are not identical
+		$currentInstanceHashes = $this->generateHashes($this->getFolderIterator($basePath), $basePath);
+		$differencesA = array_diff($expectedHashes, $currentInstanceHashes);
+		$differencesB = array_diff($currentInstanceHashes, $expectedHashes);
+		$differences = array_unique(array_merge($differencesA, $differencesB));
+		$differenceArray = [];
+		foreach($differences as $filename => $hash) {
+			// Check if file should not exist in the new signature table
+			if(!array_key_exists($filename, $expectedHashes)) {
+				$differenceArray['EXTRA_FILE'][$filename]['expected'] = '';
+				$differenceArray['EXTRA_FILE'][$filename]['current'] = $hash;
+				continue;
+			}
+
+			// Check if file is missing
+			if(!array_key_exists($filename, $currentInstanceHashes)) {
+				$differenceArray['FILE_MISSING'][$filename]['expected'] = $expectedHashes[$filename];
+				$differenceArray['FILE_MISSING'][$filename]['current'] = '';
+				continue;
+			}
+
+			// Check if hash does mismatch
+			if($expectedHashes[$filename] !== $currentInstanceHashes[$filename]) {
+				$differenceArray['INVALID_HASH'][$filename]['expected'] = $expectedHashes[$filename];
+				$differenceArray['INVALID_HASH'][$filename]['current'] = $currentInstanceHashes[$filename];
+				continue;
+			}
+
+			// Should never happen.
+			throw new \Exception('Invalid behaviour in file hash comparison experienced. Please report this error to the developers.');
+		}
+
+		return $differenceArray;
+	}
+
+	/**
+	 * Whether the code integrity check has passed successful or not
+	 *
+	 * @return bool
+	 */
+	public function hasPassedCheck() {
+		$results = $this->getResults();
+		if(empty($results)) {
+			return true;
+		}
+
+		return false;
+	}
+
+	/**
+	 * @return array
+	 */
+	public function getResults() {
+		$cachedResults = $this->cache->get(self::CACHE_KEY);
+		if(!is_null($cachedResults)) {
+			return json_decode($cachedResults, true);
+		}
+
+		return json_decode($this->config->getAppValue('core', self::CACHE_KEY, '{}'), true);
+	}
+
+	/**
+	 * Stores the results in the app config as well as cache
+	 *
+	 * @param string $scope
+	 * @param array $result
+	 */
+	private function storeResults($scope, array $result) {
+		$resultArray = $this->getResults();
+		unset($resultArray[$scope]);
+		if(!empty($result)) {
+			$resultArray[$scope] = $result;
+		}
+		$this->config->setAppValue('core', self::CACHE_KEY, json_encode($resultArray));
+		$this->cache->set(self::CACHE_KEY, json_encode($resultArray));
+	}
+
+
+	/**
+	 * Verify the signature of $appId. Returns an array with the following content:
+	 * [
+	 * 	'FILE_MISSING' =>
+	 * 	[
+	 * 		'filename' => [
+	 * 			'expected' => 'expectedSHA512',
+	 * 			'current' => 'currentSHA512',
+	 * 		],
+	 * 	],
+	 * 	'EXTRA_FILE' =>
+	 * 	[
+	 * 		'filename' => [
+	 * 			'expected' => 'expectedSHA512',
+	 * 			'current' => 'currentSHA512',
+	 * 		],
+	 * 	],
+	 * 	'INVALID_HASH' =>
+	 * 	[
+	 * 		'filename' => [
+	 * 			'expected' => 'expectedSHA512',
+	 * 			'current' => 'currentSHA512',
+	 * 		],
+	 * 	],
+	 * ]
+	 *
+	 * Array may be empty in case no problems have been found.
+	 *
+	 * @param string $appId
+	 * @return array
+	 */
+	public function verifyAppSignature($appId) {
+		try {
+			$path = $this->appLocator->getAppPath($appId);
+			$result = $this->verify(
+					$path . '/appinfo/signature.json',
+					$path,
+					$appId
+			);
+		} catch (\Exception $e) {
+			$result = [
+					'EXCEPTION' => [
+							'class' => get_class($e),
+							'message' => $e->getMessage(),
+					],
+			];
+		}
+		$this->storeResults($appId, $result);
+
+		return $result;
+	}
+
+	/**
+	 * Verify the signature of core. Returns an array with the following content:
+	 * [
+	 * 	'FILE_MISSING' =>
+	 * 	[
+	 * 		'filename' => [
+	 * 			'expected' => 'expectedSHA512',
+	 * 			'current' => 'currentSHA512',
+	 * 		],
+	 * 	],
+	 * 	'EXTRA_FILE' =>
+	 * 	[
+	 * 		'filename' => [
+	 * 			'expected' => 'expectedSHA512',
+	 * 			'current' => 'currentSHA512',
+	 * 		],
+	 * 	],
+	 * 	'INVALID_HASH' =>
+	 * 	[
+	 * 		'filename' => [
+	 * 			'expected' => 'expectedSHA512',
+	 * 			'current' => 'currentSHA512',
+	 * 		],
+	 * 	],
+	 * ]
+	 *
+	 * Array may be empty in case no problems have been found.
+	 *
+	 * @return array
+	 */
+	public function verifyCoreSignature() {
+		try {
+			$result = $this->verify(
+					$this->environmentHelper->getServerRoot() . '/core/signature.json',
+					$this->environmentHelper->getServerRoot(),
+					'core'
+			);
+		} catch (\Exception $e) {
+			$result = [
+					'EXCEPTION' => [
+							'class' => get_class($e),
+							'message' => $e->getMessage(),
+					],
+			];
+		}
+		$this->storeResults('core', $result);
+
+		return $result;
+	}
+
+	/**
+	 * Verify the core code of the instance as well as all applicable applications
+	 * and store the results.
+	 */
+	public function runInstanceVerification() {
+		$this->verifyCoreSignature();
+		$appIds = $this->appLocator->getAllApps();
+		foreach($appIds as $appId) {
+			// If an application is shipped a valid signature is required
+			$isShipped = $this->appManager->isShipped($appId);
+			$appNeedsToBeChecked = false;
+			if ($isShipped) {
+				$appNeedsToBeChecked = true;
+			} elseif ($this->fileAccessHelper->file_exists($this->appLocator->getAppPath($appId) . '/appinfo/signature.json')) {
+				// Otherwise only if the application explicitly ships a signature.json file
+				$appNeedsToBeChecked = true;
+			}
+
+			if($appNeedsToBeChecked) {
+				$this->verifyAppSignature($appId);
+			}
+		}
+	}
+}
diff --git a/lib/private/integritycheck/exceptions/invalidsignatureexception.php b/lib/private/integritycheck/exceptions/invalidsignatureexception.php
new file mode 100644
index 00000000000..9e05e5884f5
--- /dev/null
+++ b/lib/private/integritycheck/exceptions/invalidsignatureexception.php
@@ -0,0 +1,30 @@
+<?php
+/**
+ * @author Lukas Reschke <lukas@owncloud.com>
+ *
+ * @copyright Copyright (c) 2015, ownCloud, Inc.
+ * @license AGPL-3.0
+ *
+ * This code is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License, version 3,
+ * as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License, version 3,
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>
+ *
+ */
+
+namespace OC\IntegrityCheck\Exceptions;
+
+/**
+ * Class InvalidSignatureException is thrown in case the signature of the hashes
+ * cannot be properly validated. This indicates that either files
+ *
+ * @package OC\IntegrityCheck\Exceptions
+ */
+class InvalidSignatureException extends \Exception {}
diff --git a/lib/private/integritycheck/helpers/applocator.php b/lib/private/integritycheck/helpers/applocator.php
new file mode 100644
index 00000000000..b732cb80893
--- /dev/null
+++ b/lib/private/integritycheck/helpers/applocator.php
@@ -0,0 +1,56 @@
+<?php
+/**
+ * @author Lukas Reschke <lukas@owncloud.com>
+ *
+ * @copyright Copyright (c) 2015, ownCloud, Inc.
+ * @license AGPL-3.0
+ *
+ * This code is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License, version 3,
+ * as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License, version 3,
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>
+ *
+ */
+
+namespace OC\IntegrityCheck\Helpers;
+
+/**
+ * Class AppLocator provides a non-static helper for OC_App::getPath($appId)
+ * it is not possible to use IAppManager at this point as IAppManager has a
+ * dependency on a running ownCloud.
+ *
+ * @package OC\IntegrityCheck\Helpers
+ */
+class AppLocator {
+	/**
+	 * Provides \OC_App::getAppPath($appId)
+	 *
+	 * @param string $appId
+	 * @return string
+	 * @throws \Exception If the app cannot be found
+	 */
+	public function getAppPath($appId) {
+		$path = \OC_App::getAppPath($appId);
+		if($path === false) {
+
+			throw new \Exception('App not found');
+		}
+		return $path;
+	}
+
+	/**
+	 * Providers \OC_App::getAllApps()
+	 *
+	 * @return array
+	 */
+	public function getAllApps() {
+		return \OC_App::getAllApps();
+	}
+}
diff --git a/lib/private/integritycheck/helpers/environmenthelper.php b/lib/private/integritycheck/helpers/environmenthelper.php
new file mode 100644
index 00000000000..d7747dbb966
--- /dev/null
+++ b/lib/private/integritycheck/helpers/environmenthelper.php
@@ -0,0 +1,39 @@
+<?php
+/**
+ * @author Lukas Reschke <lukas@owncloud.com>
+ *
+ * @copyright Copyright (c) 2015, ownCloud, Inc.
+ * @license AGPL-3.0
+ *
+ * This code is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License, version 3,
+ * as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License, version 3,
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>
+ *
+ */
+
+namespace OC\IntegrityCheck\Helpers;
+
+/**
+ * Class EnvironmentHelper provides a non-static helper for access to static
+ * variables such as \OC::$SERVERROOT.
+ *
+ * @package OC\IntegrityCheck\Helpers
+ */
+class EnvironmentHelper {
+	/**
+	 * Provides \OC::$SERVERROOT
+	 *
+	 * @return string
+	 */
+	public function getServerRoot() {
+		return \OC::$SERVERROOT;
+	}
+}
diff --git a/lib/private/integritycheck/helpers/fileaccesshelper.php b/lib/private/integritycheck/helpers/fileaccesshelper.php
new file mode 100644
index 00000000000..23f592122dc
--- /dev/null
+++ b/lib/private/integritycheck/helpers/fileaccesshelper.php
@@ -0,0 +1,61 @@
+<?php
+/**
+ * @author Lukas Reschke <lukas@owncloud.com>
+ *
+ * @copyright Copyright (c) 2015, ownCloud, Inc.
+ * @license AGPL-3.0
+ *
+ * This code is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License, version 3,
+ * as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License, version 3,
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>
+ *
+ */
+
+namespace OC\IntegrityCheck\Helpers;
+
+/**
+ * Class FileAccessHelper provides a helper around file_get_contents and
+ * file_put_contents
+ *
+ * @package OC\IntegrityCheck\Helpers
+ */
+class FileAccessHelper {
+	/**
+	 * Wrapper around file_get_contents($filename, $data)
+	 *
+	 * @param string $filename
+	 * @return string|false
+	 */
+	public function file_get_contents($filename) {
+		return file_get_contents($filename);
+	}
+
+	/**
+	 * Wrapper around file_exists($filename)
+	 *
+	 * @param string $filename
+	 * @return bool
+	 */
+	public function file_exists($filename) {
+		return file_exists($filename);
+	}
+
+	/**
+	 * Wrapper around file_put_contents($filename, $data)
+	 *
+	 * @param string $filename
+	 * @param $data
+	 * @return int|false
+	 */
+	public function file_put_contents($filename, $data) {
+		return file_put_contents($filename, $data);
+	}
+}
diff --git a/lib/private/integritycheck/iterator/excludefilebynamefilteriterator.php b/lib/private/integritycheck/iterator/excludefilebynamefilteriterator.php
new file mode 100644
index 00000000000..c75554a7cc9
--- /dev/null
+++ b/lib/private/integritycheck/iterator/excludefilebynamefilteriterator.php
@@ -0,0 +1,58 @@
+<?php
+/**
+ * @author Lukas Reschke <lukas@owncloud.com>
+ *
+ * @copyright Copyright (c) 2015, ownCloud, Inc.
+ * @license AGPL-3.0
+ *
+ * This code is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License, version 3,
+ * as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License, version 3,
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>
+ *
+ */
+
+namespace OC\IntegrityCheck\Iterator;
+
+/**
+ * Class ExcludeFileByNameFilterIterator provides a custom iterator which excludes
+ * entries with the specified file name from the file list.
+ *
+ * @package OC\Integritycheck\Iterator
+ */
+class ExcludeFileByNameFilterIterator extends \RecursiveFilterIterator {
+	/**
+	 * Array of excluded file names. Those are not scanned by the integrity checker.
+	 * This is used to exclude files which administrators could upload by mistakes
+	 * such as .DS_Store files.
+	 *
+	 * @var array
+	 */
+	private $excludedFilenames = [
+		'.DS_Store', // Mac OS X
+		'Thumbs.db', // Microsoft Windows
+		'.directory', // Dolphin (KDE)
+	];
+
+	/**
+	 * @return bool
+	 */
+	public function accept() {
+		if($this->isDir()) {
+			return true;
+		}
+
+		return !in_array(
+			$this->current()->getFilename(),
+			$this->excludedFilenames,
+			true
+		);
+	}
+}
diff --git a/lib/private/integritycheck/iterator/excludefoldersbypathfilteriterator.php b/lib/private/integritycheck/iterator/excludefoldersbypathfilteriterator.php
new file mode 100644
index 00000000000..43f19475862
--- /dev/null
+++ b/lib/private/integritycheck/iterator/excludefoldersbypathfilteriterator.php
@@ -0,0 +1,51 @@
+<?php
+/**
+ * @author Lukas Reschke <lukas@owncloud.com>
+ *
+ * @copyright Copyright (c) 2015, ownCloud, Inc.
+ * @license AGPL-3.0
+ *
+ * This code is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License, version 3,
+ * as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License, version 3,
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>
+ *
+ */
+
+namespace OC\IntegrityCheck\Iterator;
+
+class ExcludeFoldersByPathFilterIterator extends \RecursiveFilterIterator {
+	private $excludedFolders = [];
+
+	public function __construct(\RecursiveIterator $iterator) {
+		parent::__construct($iterator);
+
+		$appFolders = \OC::$APPSROOTS;
+		foreach($appFolders as $key => $appFolder) {
+			$appFolders[$key] = rtrim($appFolder['path'], '/');
+		}
+
+		$this->excludedFolders = array_merge([
+			rtrim(\OC::$server->getConfig()->getSystemValue('datadirectory', \OC::$SERVERROOT . '/data'), '/'),
+			rtrim(\OC::$SERVERROOT.'/themes', '/'),
+		], $appFolders);
+	}
+
+	/**
+	 * @return bool
+	 */
+	public function accept() {
+		return !in_array(
+			$this->current()->getPathName(),
+			$this->excludedFolders,
+			true
+		);
+	}
+}
diff --git a/lib/private/server.php b/lib/private/server.php
index de3324d2cce..fe0d9dcf55d 100644
--- a/lib/private/server.php
+++ b/lib/private/server.php
@@ -51,6 +51,10 @@ use OC\Files\Node\HookConnector;
 use OC\Files\Node\Root;
 use OC\Files\View;
 use OC\Http\Client\ClientService;
+use OC\IntegrityCheck\Checker;
+use OC\IntegrityCheck\Helpers\AppLocator;
+use OC\IntegrityCheck\Helpers\EnvironmentHelper;
+use OC\IntegrityCheck\Helpers\FileAccessHelper;
 use OC\Lock\DBLockingProvider;
 use OC\Lock\MemcacheLockingProvider;
 use OC\Lock\NoopLockingProvider;
@@ -409,6 +413,26 @@ class Server extends SimpleContainer implements IServerContainer {
 		$this->registerService('TrustedDomainHelper', function ($c) {
 			return new TrustedDomainHelper($this->getConfig());
 		});
+		$this->registerService('IntegrityCodeChecker', function (Server $c) {
+			// IConfig and IAppManager requires a working database. This code
+			// might however be called when ownCloud is not yet setup.
+			if(\OC::$server->getSystemConfig()->getValue('installed', false)) {
+				$config = $c->getConfig();
+				$appManager = $c->getAppManager();
+			} else {
+				$config = null;
+				$appManager = null;
+			}
+
+			return new Checker(
+					new EnvironmentHelper(),
+					new FileAccessHelper(),
+					new AppLocator(),
+					$config,
+					$c->getMemCacheFactory(),
+					$appManager
+			);
+		});
 		$this->registerService('Request', function ($c) {
 			if (isset($this['urlParams'])) {
 				$urlParams = $this['urlParams'];
@@ -1094,6 +1118,13 @@ class Server extends SimpleContainer implements IServerContainer {
 	}
 
 	/**
+	 * @return \OC\IntegrityCheck\Checker
+	 */
+	public function getIntegrityCodeChecker() {
+		return $this->query('IntegrityCodeChecker');
+	}
+
+	/**
 	 * @return \OC\Session\CryptoWrapper
 	 */
 	public function getSessionCryptoWrapper() {
diff --git a/lib/private/templatelayout.php b/lib/private/templatelayout.php
index f5974128b73..1a6a07ddc9f 100644
--- a/lib/private/templatelayout.php
+++ b/lib/private/templatelayout.php
@@ -78,8 +78,12 @@ class OC_TemplateLayout extends OC_Template {
 			// Update notification
 			if($this->config->getSystemValue('updatechecker', true) === true &&
 				OC_User::isAdminUser(OC_User::getUser())) {
-				$updater = new \OC\Updater(\OC::$server->getHTTPHelper(),
-					\OC::$server->getConfig(), \OC::$server->getLogger());
+				$updater = new \OC\Updater(
+						\OC::$server->getHTTPHelper(),
+						\OC::$server->getConfig(),
+						\OC::$server->getIntegrityCodeChecker(),
+						\OC::$server->getLogger()
+				);
 				$data = $updater->check();
 
 				if(isset($data['version']) && $data['version'] != '' and $data['version'] !== Array()) {
@@ -96,8 +100,13 @@ class OC_TemplateLayout extends OC_Template {
 				$this->assign('updateAvailable', false); // Update check is disabled
 			}
 
-			// Add navigation entry
+			// Code integrity notification
+			$integrityChecker = \OC::$server->getIntegrityCodeChecker();
+			if(!$integrityChecker->hasPassedCheck()) {
+				\OCP\Util::addScript('core', 'integritycheck-failed-notification');
+			}
 
+			// Add navigation entry
 			$this->assign( 'application', '');
 			$this->assign( 'appid', $appId );
 			$navigation = OC_App::getNavigation();
diff --git a/lib/private/updater.php b/lib/private/updater.php
index 1ff80863737..366ad2555a8 100644
--- a/lib/private/updater.php
+++ b/lib/private/updater.php
@@ -34,6 +34,8 @@
 namespace OC;
 
 use OC\Hooks\BasicEmitter;
+use OC\IntegrityCheck\Checker;
+use OC\IntegrityCheck\Storage;
 use OC_App;
 use OC_Installer;
 use OC_Util;
@@ -61,6 +63,9 @@ class Updater extends BasicEmitter {
 	/** @var IConfig */
 	private $config;
 
+	/** @var Checker */
+	private $checker;
+
 	/** @var bool */
 	private $simulateStepEnabled;
 
@@ -81,14 +86,17 @@ class Updater extends BasicEmitter {
 	/**
 	 * @param HTTPHelper $httpHelper
 	 * @param IConfig $config
+	 * @param Checker $checker
 	 * @param ILogger $log
 	 */
 	public function __construct(HTTPHelper $httpHelper,
 								IConfig $config,
+								Checker $checker,
 								ILogger $log = null) {
 		$this->httpHelper = $httpHelper;
 		$this->log = $log;
 		$this->config = $config;
+		$this->checker = $checker;
 		$this->simulateStepEnabled = true;
 		$this->updateStepEnabled = true;
 	}
@@ -335,6 +343,13 @@ class Updater extends BasicEmitter {
 			//Invalidate update feed
 			$this->config->setAppValue('core', 'lastupdatedat', 0);
 
+			// Check for code integrity on the stable channel
+			if(\OC_Util::getChannel() === 'stable') {
+				$this->emit('\OC\Updater', 'startCheckCodeIntegrity');
+				$this->checker->runInstanceVerification();
+				$this->emit('\OC\Updater', 'finishedCheckCodeIntegrity');
+			}
+
 			// only set the final version if everything went well
 			$this->config->setSystemValue('version', implode('.', \OC_Util::getVersion()));
 		}