nextcloud/resources/codesigning/root.crt

46 lines
2.7 KiB
Plaintext
Raw Normal View History

Add code integrity check This PR implements the base foundation of the code signing and integrity check. In this PR implemented is the signing and verification logic, as well as commands to sign single apps or the core repository. Furthermore, there is a basic implementation to display problems with the code integrity on the update screen. Code signing basically happens the following way: - There is a ownCloud Root Certificate authority stored `resources/codesigning/root.crt` (in this PR I also ship the private key which we obviously need to change before a release :wink:). This certificate is not intended to be used for signing directly and only is used to sign new certificates. - Using the `integrity:sign-core` and `integrity:sign-app` commands developers can sign either the core release or a single app. The core release needs to be signed with a certificate that has a CN of `core`, apps need to be signed with a certificate that either has a CN of `core` (shipped apps!) or the AppID. - The command generates a signature.json file of the following format: ```json { "hashes": { "/filename.php": "2401fed2eea6f2c1027c482a633e8e25cd46701f811e2d2c10dc213fd95fa60e350bccbbebdccc73a042b1a2799f673fbabadc783284cc288e4f1a1eacb74e3d", "/lib/base.php": "55548cc16b457cd74241990cc9d3b72b6335f2e5f45eee95171da024087d114fcbc2effc3d5818a6d5d55f2ae960ab39fd0414d0c542b72a3b9e08eb21206dd9" }, "certificate": "-----BEGIN CERTIFICATE-----MIIBvTCCASagAwIBAgIUPvawyqJwCwYazcv7iz16TWxfeUMwDQYJKoZIhvcNAQEF\nBQAwIzEhMB8GA1UECgwYb3duQ2xvdWQgQ29kZSBTaWduaW5nIENBMB4XDTE1MTAx\nNDEzMTcxMFoXDTE2MTAxNDEzMTcxMFowEzERMA8GA1UEAwwIY29udGFjdHMwgZ8w\nDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANoQesGdCW0L2L+a2xITYipixkScrIpB\nkX5Snu3fs45MscDb61xByjBSlFgR4QI6McoCipPw4SUr28EaExVvgPSvqUjYLGps\nfiv0Cvgquzbx/X3mUcdk9LcFo1uWGtrTfkuXSKX41PnJGTr6RQWGIBd1V52q1qbC\nJKkfzyeMeuQfAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAvF/KIhRMQ3tYTmgHWsiM\nwDMgIDb7iaHF0fS+/Nvo4PzoTO/trev6tMyjLbJ7hgdCpz/1sNzE11Cibf6V6dsz\njCE9invP368Xv0bTRObRqeSNsGogGl5ceAvR0c9BG+NRIKHcly3At3gLkS2791bC\niG+UxI/MNcWV0uJg9S63LF8=\n-----END CERTIFICATE-----", "signature": "U29tZVNpZ25lZERhdGFFeGFtcGxl" } ``` `hashes` is an array of all files in the folder with their corresponding SHA512 hashes (this is actually quite cheap to calculate), the `certificate` is the certificate used for signing. It has to be issued by the ownCloud Root Authority and it's CN needs to be permitted to perform the required action. The `signature` is then a signature of the `hashes` which can be verified using the `certificate`. Steps to do in other PRs, this is already a quite huge one: - Add nag screen in case the code check fails to ensure that administrators are aware of this. - Add code verification also to OCC upgrade and unify display code more. - Add enforced code verification to apps shipped from the appstore with a level of "official" - Add enfocrced code verification to apps shipped from the appstore that were already signed in a previous release - Add some developer documentation on how devs can request their own certificate - Check when installing ownCloud - Add support for CRLs to allow revoking certificates **Note:** The upgrade checks are only run when the instance has a defined release channel of `stable` (defined in `version.php`). If you want to test this, you need to change the channel thus and then generate the core signature: ``` ➜ master git:(add-integrity-checker) ✗ ./occ integrity:sign-core --privateKey=resources/codesigning/core.key --certificate=resources/codesigning/core.crt Successfully signed "core" ``` Then increase the version and you should see something like the following: ![2015-11-04_12-02-57](https://cloud.githubusercontent.com/assets/878997/10936336/6adb1d14-82ec-11e5-8f06-9a74801c9abf.png) As you can see a failed code check will not prevent the further update. It will instead just be a notice to the admin. In a next step we will add some nag screen. For packaging stable releases this requires the following additional steps as a last action before zipping: 1. Run `./occ integrity:sign-core` once 2. Run `./occ integrity:sign-app` _for each_ app. However, this can be simply automated using a simple foreach on the apps folder.
2015-11-03 22:26:06 +03:00
-----BEGIN CERTIFICATE-----
MIID1zCCAr+gAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwejELMAkGA1UEBhMCREUx
GzAZBgNVBAgMEkJhZGVuLVd1ZXJ0dGVtYmVyZzESMBAGA1UEBwwJU3R1dHRnYXJ0
MRcwFQYDVQQKDA5OZXh0Y2xvdWQgR21iSDEhMB8GA1UEAwwYTmV4dGNsb3VkIFJv
b3QgQXV0aG9yaXR5MB4XDTE2MDYxMjIxMDEwMloXDTQxMDYwNjIxMDEwMlowezEL
MAkGA1UEBhMCREUxGzAZBgNVBAgMEkJhZGVuLVd1ZXJ0dGVtYmVyZzEXMBUGA1UE
CgwOTmV4dGNsb3VkIEdtYkgxNjA0BgNVBAMMLU5leHRjbG91ZCBDb2RlIFNpZ25p
bmcgSW50ZXJtZWRpYXRlIEF1dGhvcml0eTCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBAJzBOypRqAhXeTB3XawW7UzwCxoovpMa0bP8fPzjeMMdCdPlZIYX
MshGHoQ4/VJyODOaq3H1AYRh20Kn/BKNAuVfRzcmY/7M5R09b0ts06l9tIVSbBeK
5krETjZtpt4crgukzQ6+8QhHE2DBdvPE7rds6EyBaiMRPNuGP1YrtGPQ+hYvajJL
yH3mq609ZZYFVOK9FuSxw5e5YBFp9Z6dNeFjnmEsYytWOhaJ+zPfQaL9JjLwxEM+
BJ1kpf/zblzL6FwUOeXP2+UJ5TAU4xh+9WsvFBR0b6iq77eYTl3eFM1QtaweCA23
OmZZZahCNLmcPA2iMyPZDGZ1mSW+h7+pMJkCAwEAAaNmMGQwHQYDVR0OBBYEFG3q
bqqpNyw8iS0XPv1G7sOeeO10MB8GA1UdIwQYMBaAFAQYAjwHzNjhemMwKilLlT4T
vZHIMBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3
DQEBCwUAA4IBAQCWnDNA14Q+bw7X0S+riMjyTabtgF443eAQIvby9sU2cHtd7qua
p/311+H7gB4F/CE+/CUxdtC5AgaW4vWRL8ge9+6jhYUjvmqdyV5wbBFrLmnqYS4h
PnNWo5cjA7apA6SrIxnJAF8vNCeyEQgHD57VeIlK35S0GpqcouuCSQvCeSjKcojx
6t/NGHcetWucHAUymzOk11NMyYyEMJ/tfUwn3drqkb4jp4Tqu4ftZt/uioDX8Gc9
Aw+IaEHKfNnh9R//Vqc06Bad04ycI6jK4cVUpC/6I6tzoY6GXwZRbESkKUyLitlX
3EnBONP0UzEZmCilIwYYfevWGT+NWnpkmey7
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIID2jCCAsKgAwIBAgIJAKCc9xL4epmrMA0GCSqGSIb3DQEBCwUAMHoxCzAJBgNV
BAYTAkRFMRswGQYDVQQIDBJCYWRlbi1XdWVydHRlbWJlcmcxEjAQBgNVBAcMCVN0
dXR0Z2FydDEXMBUGA1UECgwOTmV4dGNsb3VkIEdtYkgxITAfBgNVBAMMGE5leHRj
bG91ZCBSb290IEF1dGhvcml0eTAeFw0xNjA2MTIyMDU4MzVaFw00MTA2MDYyMDU4
MzVaMHoxCzAJBgNVBAYTAkRFMRswGQYDVQQIDBJCYWRlbi1XdWVydHRlbWJlcmcx
EjAQBgNVBAcMCVN0dXR0Z2FydDEXMBUGA1UECgwOTmV4dGNsb3VkIEdtYkgxITAf
BgNVBAMMGE5leHRjbG91ZCBSb290IEF1dGhvcml0eTCCASIwDQYJKoZIhvcNAQEB
BQADggEPADCCAQoCggEBAJuTxu0LpRExcpYJwMxc5N+YbEe7WVPIsLtKUNCXMfkc
aPlTpVydNi5zKQDpLQuHm5RE9u+L3sTck8yVj8DkgX9QfuRTbvg01paV+5ILY7Qn
47E8eHq6tf6MF0W20OxNRjcUCEoRA59AZV9FxkVGHniBx17Upk0BQXlZHViHZ9Ey
2Zhsw9ZetT0VCv9UGuN0Rr6T6fzgW84HoDWsesG7UwEpnct/hQf20w/iIhZspew7
RAHJZTOYnNSaBUnyiCf58SaOyxvmdfseItjMuE1FBR6bTWkLQ/a/1xH2FCk0izm5
1foZF0Ya0fAzVHwBkOVZeIuswjvuqgp/TkB6W0i73aUCAwEAAaNjMGEwHQYDVR0O
BBYEFAQYAjwHzNjhemMwKilLlT4TvZHIMB8GA1UdIwQYMBaAFAQYAjwHzNjhemMw
KilLlT4TvZHIMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMA0GCSqG
SIb3DQEBCwUAA4IBAQCBv40RAXMtMah61q6wYATw4q4cvIKLjKoyApHPHZhQnWwe
VLv/D2a26A8VwDNQ1LGv4NzzIDcpWz+pk+rXMNnyjXwr0AtKM2Vg07yKqkZB9J1c
duYm0j8FLdCHXIjRucgMA/wiwR4mB9PVGtQfCvUQl2Hfkiagkw31llGCXugQPsnh
vhfMWxkdVFAnzDoATWe2SDuuyyd5Sl4/LKn8HEysusaYCMpPDP+seZGjA0ukZ3F+
pO0PlAEb3OypRavz8iR8s+VbE0wdAX1mPByx8SU8Wkq76p4G261PvTrfYKnreU8z
b47G5k8BAiPCtNze/Ihul6lpLK6yk+FRXcZCl1sg
-----END CERTIFICATE-----