Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enhance signature algorithm for code signatures #24727

Closed
wants to merge 5 commits into from
Closed

Enhance signature algorithm for code signatures #24727

wants to merge 5 commits into from

Conversation

rullzer
Copy link
Member

@rullzer rullzer commented Dec 16, 2020

No description provided.

@rullzer rullzer added this to the Nextcloud 21 milestone Dec 16, 2020
This was referenced Dec 18, 2020
Merged
Merged
This was referenced Dec 28, 2020
Merged
Merged
@rullzer rullzer added 3. to review Waiting for reviews and removed 2. developing Work in progress labels Jan 8, 2021
@nickvergessen
Copy link
Member

Setting to 22, otherwise already published apps will fail hard on install

@MorrisJobke

This comment has been minimized.

Sign in to view
rullzer and others added 5 commits January 8, 2021 15:02
@rullzer @nickvergessen
Also sign signatures with sha512
89b52c3 
Signed-off-by: Roeland Jago Douma <[email protected]>
@rullzer @nickvergessen
<= 21 check for the new signature.
3ae54d2 
But also check it if the new signatures are there

Signed-off-by: Roeland Jago Douma <[email protected]>
@rullzer @nickvergessen
Always check new sig for server releases
a074c3c 
Signed-off-by: Roeland Jago Douma <[email protected]>
@rullzer @nickvergessen
Add info.xml
e0802d8 
Signed-off-by: Roeland Jago Douma <[email protected]>
@nickvergessen
Bump autoloader
25df593 
Signed-off-by: Joas Schilling <[email protected]>
@nickvergessen

This comment has been minimized.

Sign in to view
@nickvergessen nickvergessen mentioned this pull request Jan 8, 2021
Closed
@nickvergessen
Copy link
Member

Conflicts and 22, setting back to developing

@nickvergessen nickvergessen added 2. developing Work in progress and removed 3. to review Waiting for reviews labels Jan 20, 2021
@rullzer

This comment has been minimized.

Sign in to view
nickvergessen
nickvergessen approved these changes Jan 22, 2021
View reviewed changes
Copy link
Member

@nickvergessen nickvergessen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems to work, so approving in advance

LukasReschke
LukasReschke reviewed Mar 22, 2021
View reviewed changes
lib/private/IntegrityCheck/Checker.php

if ($forceHash && isset($signatureData['signatures'][$forceHash])) {
// Check the sha512 hash
$rsa->setHash($forceHash);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That scares me a bit because it could eventually lead to something like https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/, in which there is a null algorithm or something eventually.

Can we instead pass a version identifier (e.g. 2 == SHA512)?

lib/private/IntegrityCheck/Checker.php
$minVersion = $this->infoParser->getMinVersion($path . '/appinfo/info.xml');
$forceHash = null;
if ($minVersion >= 22) {
$forceHash = 'sha512';
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you elaborate the reason for the hardcoding here? :)

@LukasReschke LukasReschke self-requested a review May 11, 2021 12:40
This was referenced May 20, 2021
Merged
Merged
@blizzz blizzz mentioned this pull request Jun 2, 2021
Merged
57 tasks
@skjnldsv
Copy link
Member

skjnldsv commented Jun 2, 2021
edited
Loading

@LukasReschke do you want/can to take over?

Or else we move for 23 :)

@LukasReschke LukasReschke removed this from the Nextcloud 22 milestone Jun 9, 2021
@LukasReschke
Copy link
Member

-> 23. I feel it's a bit late for this change now.

@juliusknorr juliusknorr removed their request for review April 5, 2023 14:17
@skjnldsv skjnldsv removed the 2. developing Work in progress label Feb 27, 2024
@skjnldsv
Copy link
Member

As there is no feedback since a while I will close this ticket.
If you will decide to work on this feature again and if it hasn't been fixed or implemented already, feel free to re-open and solve the various conflicts.

@skjnldsv skjnldsv closed this Feb 27, 2024
@skjnldsv skjnldsv deleted the enh/signature_alg branch February 27, 2024 13:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nickvergessen nickvergessen nickvergessen approved these changes

@ChristophWurst ChristophWurst Awaiting requested review from ChristophWurst

@LukasReschke LukasReschke Awaiting requested review from LukasReschke

Assignees
No one assigned
Labels
enhancement feature: apps management
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@rullzer @nickvergessen @MorrisJobke @skjnldsv @LukasReschke