Merge pull request #69 from nextcloud/add-owncloud-root-ca

[stable9] Add ownCloud root CA

1 files changed, 9 insertions, 2 deletions

diff --git a/lib/private/integritycheck/checker.php b/lib/private/integritycheck/checker.php
index b991f66e22e..3669c50ed30 100644
--- a/lib/private/integritycheck/checker.php
+++ b/lib/private/integritycheck/checker.php
@@ -318,13 +318,20 @@ class Checker {
 		$signature = base64_decode($signatureData['signature']);
 		$certificate = $signatureData['certificate'];
 
-		// Check if certificate is signed by ownCloud Root Authority
+		// Check if certificate is signed by Nextcloud Root Authority
 		$x509 = new \phpseclib\File\X509();
 		$rootCertificatePublicKey = $this->fileAccessHelper->file_get_contents($this->environmentHelper->getServerRoot().'/resources/codesigning/root.crt');
 		$x509->loadCA($rootCertificatePublicKey);
 		$x509->loadX509($certificate);
 		if(!$x509->validateSignature()) {
-			throw new InvalidSignatureException('Certificate is not valid.');
+			// FIXME: Once Nextcloud has it's own appstore we should remove the ownCloud Root Authority from here
+			$x509 = new \phpseclib\File\X509();
+			$rootCertificatePublicKey = $this->fileAccessHelper->file_get_contents($this->environmentHelper->getServerRoot().'/resources/codesigning/owncloud.crt');
+			$x509->loadCA($rootCertificatePublicKey);
+			$x509->loadX509($certificate);
+			if(!$x509->validateSignature()) {
+				throw new InvalidSignatureException('Certificate is not valid.');
+			}
 		}
 		// Verify if certificate has proper CN. "core" CN is always trusted.
 		if($x509->getDN(X509::DN_OPENSSL)['CN'] !== $certificateCN && $x509->getDN(X509::DN_OPENSSL)['CN'] !== 'core') {