fix: sign app via occ integrity:sign-app instead of PHP openssl_sign#2
Merged
Conversation
PHP's openssl_sign() only emits PKCS#1 v1.5 signatures, but Nextcloud's integrity check requires RSA-PSS / SHA-512 / MGF1-SHA-512 / saltLen=0. The previous CI step therefore shipped every release with a signature that fails verification, causing a silent "Signature could not get verified" warning in the admin overview for any installed app. Switch to the canonical signing path: spin up nextcloud:32-apache in a container, run `occ integrity:sign-app` with the project key and cert, and pull the resulting signature.json back into the tarball before repackaging. Add a separate verify step that installs the freshly signed tarball into a clean Nextcloud and runs `occ integrity:check-app`. Any non-empty output fails the build, so we never silently ship a bad signature again.
Closed
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
Every release shipped so far (v1.0.0 and v1.1.0) has an invalid
appinfo/signature.json:openssl_sign()only produces RSA PKCS#1 v1.5 signatures.lib/private/IntegrityCheck/Checker.php).The current
Sign appstep in this workflow usesopenssl_sign(...)with no padding option, so the signature it produces never passes NC's check. The failure is silent on the publishing side (openssl_signreturnstrue, the tarball is generated, the App Store accepts it), and only shows up at runtime as a genericInvalidSignatureException: Signature could not get verified.in the admin overview of installed instances. That's what #1 was actually about — the version-gate hypothesis turned out to be a red herring once the bug was reproduced on a NC 33 sandbox.What changes
nextcloud:32-apacheas a sidecar, copy the unpacked app + key + cert into it, driveocc integrity:sign-app, copy the resultingappinfo/signature.jsonback out, repackage.occ integrity:sign-appis Nextcloud's own tool and emits the correct PSS signature.occ integrity:check-app. If the output is non-empty (any error), the workflow fails. This closes the silent-failure mode that let two releases ship broken.Test plan
nextcloud:33-apachecontainer:occ integrity:sign-appproduces asignature.jsonthatocc integrity:check-appaccepts (exit 0, empty output).openssl dgst -verify: both verify under PKCS#1 SHA-512, both fail under PSS — confirming the bug exists in published artifacts.release.ymlshould pick up this asfix:and bump to v1.1.1 automatically; the new appstore-publish run should produce a valid signature and pass the new verify step.