Commit Graph

55 Commits

Author SHA1 Message Date
Morris Jobke 9617f714db Update CRL to contain revoked files_external_dropbox, passman & payback
* see https://github.com/nextcloud/app-certificate-requests/pull/221
* see https://github.com/nextcloud/app-certificate-requests/pull/219#issuecomment-463577509

Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2019-02-14 13:54:26 +00:00
Roeland Jago Douma a52310af3b Update the CRL
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2019-01-04 09:40:33 +00:00
Morris Jobke 571f98ef86
Update CRL due to changed cert for linkshareex
See https://github.com/nextcloud/app-certificate-requests/pull/193

Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2018-10-09 11:56:49 +02:00
Joas Schilling d7246edc94
Add the new share type
Signed-off-by: Joas Schilling <coding@schilljs.com>
2018-08-24 23:08:17 +02:00
Morris Jobke bb2336f389
Merge pull request #10526 from steiny2k/HEICHEIF
Support HEIC for previews
2018-08-22 13:41:19 +02:00
Roeland Jago Douma 0fb2c50f17
Another CRL bump
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-08-13 10:28:23 +02:00
Roeland Jago Douma 45385e8114
Update CRL
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-08-13 09:53:19 +02:00
Sebastian Steinmetz 6973b82e20 Develop HEIC/HEIF preview support #7406
Signed-off-by: Sebastian Steinmetz <me@sebastiansteinmetz.ch>
2018-08-11 00:13:43 +02:00
Christoph Wurst e53c048bc8
Fix info.xsd to sync with the appstore one
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2018-08-09 06:58:18 +02:00
John Oyler 489103eede
Give the various comic book file formats distinct mime types so that they can be handled correctly by the preview functionality without file type checking at that point. 2018-07-10 21:23:35 +02:00
Joas Schilling 5541d3dd84
Add visio mimetypes
Signed-off-by: Joas Schilling <coding@schilljs.com>
2018-07-06 15:16:21 +02:00
Georg Ehrke 8c73b13ac8
move locales file to /resources/
Signed-off-by: Georg Ehrke <developer@georgehrke.com>
2018-06-27 21:52:19 +02:00
Morris Jobke 7dcab39f34
Update CRL to include old quicknotes cert
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2018-04-17 11:40:56 +02:00
Joas Schilling 17a26dfcc1
Validate the info.xml against the appstore schema file
Signed-off-by: Joas Schilling <coding@schilljs.com>
2018-02-16 10:23:51 +01:00
Morris Jobke a76d850b40
Update CRL to revoke files_rightclick
See https://github.com/nextcloud/app-certificate-requests/pull/134

Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2018-02-09 09:42:57 +01:00
Morris Jobke e2d5f3cc12
Update CRL because user_sql cert was lost
* see https://github.com/nextcloud/app-certificate-requests/pull/129

Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2018-02-02 12:00:25 +01:00
Morris Jobke 7a49270c64
Update CRL due to aboutconfig
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2017-11-23 18:37:23 +01:00
Morris Jobke eaafa72ae0
Update CRL due to files_frommail
Signed-off-by: Morris Jobke <hey@morrisjobke.de>
2017-11-23 17:56:58 +01:00
Rello c5f76785ba
Mapping of m3u, m3u8, pls to audio streams
Signed-Off-By: Rello <Rello@users.noreply.github.com>
2017-10-31 14:05:24 +01:00
Thomas Ebert 93d539b0cf Add mimetype support for .URL (Windows) and .webloc (macOS) files. Update places/link svg. Add filetype/link icon. Add repair step for mime types.
Signed-off-by: Thomas Ebert <thomas.ebert@te-online.net>
2017-08-31 16:53:07 +02:00
Arthur Schiwon 0f92a2c6fd
bycatch, x-ldif entry was missing
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
2017-06-14 11:47:44 +02:00
Arthur Schiwon c1d9565131
added kml, kmz, tcx types as well while at it
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
2017-06-14 11:02:05 +02:00
Arthur Schiwon 6538302daa
add gpx mimetype
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
2017-06-14 00:26:01 +02:00
Stefan Weil eb7e4d48c9 Add mimetypes for jp2 and webp
Those image formats can be processed by Tesseract, so they are needed
for improved Nextcloud OCR.

Signed-off-by: Stefan Weil <sw@weilnetz.de>
2017-04-25 18:43:39 +02:00
Lukas Reschke 23d9902cf3
Update CA bundle
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2017-04-13 11:56:09 +02:00
Joas Schilling 2e78aa6232
Remove the cert as well
Signed-off-by: Joas Schilling <coding@schilljs.com>
2017-03-22 15:17:19 +01:00
Lukas Reschke 7a174c1b4a
Add CRL entry for old rainloop certificate
Certificate has been lost as per https://github.com/nextcloud/app-certificate-requests/pull/47 - let's revoke the old one thus.

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2017-02-20 11:10:59 +01:00
Joas Schilling ade91c8fe2
Recognize .bat and .cmd files
Signed-off-by: Joas Schilling <coding@schilljs.com>
2017-02-10 14:25:25 +01:00
Arthur Schiwon 68a0f8e153
recognize LDIF (and schema) file types
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
2017-01-06 12:25:16 +01:00
Lukas Reschke a0f07dd754
Update bundled CA Certificates
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2017-01-02 15:35:36 +01:00
Lukas Reschke 3e6dd86ee4
Add support for CRL
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2016-10-31 17:17:46 +01:00
Lukas Reschke 5e5f60280e
Update root certificate list
Syncs with the newest certificate list by Mozilla.

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2016-10-06 11:01:29 +02:00
Morris Jobke da1c51882b
update to proper icons and run occ command to update JS file 2016-08-30 10:33:43 +02:00
Daniel Szasz 5b9eabf4bc
Update the mime types with the relevant types for "apple-iWorks" (pages, numbers, keynote). Now the files are treated like a file when are in "Single file" mode. 2016-08-30 10:32:46 +02:00
Roeland Jago Douma a774efb0f9
Update mimetypes 2016-08-19 09:55:38 +02:00
Lukas Reschke 38b2239b0d
Add ownCloud cert 2016-07-21 01:34:43 +02:00
Lukas Reschke 977db0a162
Use proper certificates
Ports bcf693539b
2016-07-21 01:34:11 +02:00
Alexander Yamshanov ee790ec6ac Add mimetype for fb2-extension 2016-07-03 15:13:08 +06:00
Victor Dubiniuk 6c70e847dd Add bzip2 to known mimetypes 2016-05-30 18:50:14 +03:00
Jörn Friedrich Dreyer 86d3dcd7e8 Merge pull request #24006 from owncloud/audio_m4a
Adding mimetypes for m4a and m4b
2016-05-17 09:03:06 +02:00
Carla Schroder 80a9a7d15f correct typo in mimetypealiases.dist.json 2016-04-26 07:29:36 -07:00
Carla Schroder 7dbba520f0 correct occ command for mimetypealiases 2016-04-25 16:08:49 -07:00
Martin 998da2acd3 Adding mimetypes for m4a and m4b 2016-04-14 18:25:15 +02:00
Thomas Müller d8faeab421 Merge pull request #21766 from farukuzun/master
Add some mimetypes
2016-02-04 16:49:31 +01:00
Faruk Uzun 6ffd8f3e0d Introduce some mimetypes for richdocuments
* application/vnd.lotus-wordpro
* application/vnd.visio
* application/vnd.wordperfect
* application/msonenote
2016-02-04 13:48:21 +02:00
Lukas Reschke 4db5638505 Add proper line ending 2016-02-03 21:38:13 +01:00
Lukas Reschke a06b62f901 Use intermediate root authority
Danimo proposed to use an intermediate root authority for signing purposes which makes sense considering that we may also sign updates this way in the future. So this uses now an intermediate authority.
2016-02-03 19:07:50 +01:00
Lukas Reschke 1d27a53338 Use newly generated certificate authority 2016-02-03 18:17:43 +01:00
Lukas Reschke c0640f7998 Sync certificates with upstream 2016-01-22 22:10:17 +01:00
Lukas Reschke 4971015544 Add code integrity check
This PR implements the base foundation of the code signing and integrity check. In this PR implemented is the signing and verification logic, as well as commands to sign single apps or the core repository.

Furthermore, there is a basic implementation to display problems with the code integrity on the update screen.

Code signing basically happens the following way:

- There is a ownCloud Root Certificate authority stored `resources/codesigning/root.crt` (in this PR I also ship the private key which we obviously need to change before a release 😉). This certificate is not intended to be used for signing directly and only is used to sign new certificates.
- Using the `integrity:sign-core` and `integrity:sign-app` commands developers can sign either the core release or a single app. The core release needs to be signed with a certificate that has a CN of `core`,  apps need to be signed with a certificate that either has a CN of `core` (shipped apps!)  or the AppID.
- The command generates a signature.json file of the following format:
```json
{
    "hashes": {
        "/filename.php": "2401fed2eea6f2c1027c482a633e8e25cd46701f811e2d2c10dc213fd95fa60e350bccbbebdccc73a042b1a2799f673fbabadc783284cc288e4f1a1eacb74e3d",
        "/lib/base.php": "55548cc16b457cd74241990cc9d3b72b6335f2e5f45eee95171da024087d114fcbc2effc3d5818a6d5d55f2ae960ab39fd0414d0c542b72a3b9e08eb21206dd9"
    },
    "certificate": "-----BEGIN CERTIFICATE-----MIIBvTCCASagAwIBAgIUPvawyqJwCwYazcv7iz16TWxfeUMwDQYJKoZIhvcNAQEF\nBQAwIzEhMB8GA1UECgwYb3duQ2xvdWQgQ29kZSBTaWduaW5nIENBMB4XDTE1MTAx\nNDEzMTcxMFoXDTE2MTAxNDEzMTcxMFowEzERMA8GA1UEAwwIY29udGFjdHMwgZ8w\nDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANoQesGdCW0L2L+a2xITYipixkScrIpB\nkX5Snu3fs45MscDb61xByjBSlFgR4QI6McoCipPw4SUr28EaExVvgPSvqUjYLGps\nfiv0Cvgquzbx/X3mUcdk9LcFo1uWGtrTfkuXSKX41PnJGTr6RQWGIBd1V52q1qbC\nJKkfzyeMeuQfAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAvF/KIhRMQ3tYTmgHWsiM\nwDMgIDb7iaHF0fS+/Nvo4PzoTO/trev6tMyjLbJ7hgdCpz/1sNzE11Cibf6V6dsz\njCE9invP368Xv0bTRObRqeSNsGogGl5ceAvR0c9BG+NRIKHcly3At3gLkS2791bC\niG+UxI/MNcWV0uJg9S63LF8=\n-----END CERTIFICATE-----",
    "signature": "U29tZVNpZ25lZERhdGFFeGFtcGxl"
}
```
`hashes` is an array of all files in the folder with their corresponding SHA512 hashes (this is actually quite cheap to calculate), the `certificate` is the  certificate used for signing. It has to be issued by the ownCloud Root Authority and it's CN needs to be permitted to perform the required action. The `signature` is then a signature of the `hashes` which can be verified using the `certificate`.

Steps to do in other PRs, this is already a quite huge one:
- Add nag screen in case the code check fails to ensure that administrators are aware of this.
- Add code verification also to OCC upgrade and unify display code more.
- Add enforced code verification to apps shipped from the appstore with a level of "official"
- Add enfocrced code verification to apps shipped from the appstore that were already signed in a previous release
- Add some developer documentation on how devs can request their own certificate
- Check when installing ownCloud
- Add support for CRLs to allow revoking certificates

**Note:** The upgrade checks are only run when the instance has a defined release channel of `stable` (defined in `version.php`). If you want to test this, you need to change the channel thus and then generate the core signature:

```
➜  master git:(add-integrity-checker) ✗ ./occ integrity:sign-core --privateKey=resources/codesigning/core.key --certificate=resources/codesigning/core.crt
Successfully signed "core"
```

Then increase the version and you should see something like the following:

![2015-11-04_12-02-57](https://cloud.githubusercontent.com/assets/878997/10936336/6adb1d14-82ec-11e5-8f06-9a74801c9abf.png)

As you can see a failed code check will not prevent the further update. It will instead just be a notice to the admin. In a next step we will add some nag screen.

For packaging stable releases this requires the following additional steps as a last action before zipping:
1. Run `./occ integrity:sign-core` once
2. Run `./occ integrity:sign-app` _for each_ app. However, this can be simply automated using a simple foreach on the apps folder.
2015-12-01 11:55:20 +01:00