Commit Graph

50 Commits

Author SHA1 Message Date
Lukas Reschke 4971015544 Add code integrity check
This PR implements the base foundation of the code signing and integrity check. In this PR implemented is the signing and verification logic, as well as commands to sign single apps or the core repository.

Furthermore, there is a basic implementation to display problems with the code integrity on the update screen.

Code signing basically happens the following way:

- There is a ownCloud Root Certificate authority stored `resources/codesigning/root.crt` (in this PR I also ship the private key which we obviously need to change before a release 😉). This certificate is not intended to be used for signing directly and only is used to sign new certificates.
- Using the `integrity:sign-core` and `integrity:sign-app` commands developers can sign either the core release or a single app. The core release needs to be signed with a certificate that has a CN of `core`,  apps need to be signed with a certificate that either has a CN of `core` (shipped apps!)  or the AppID.
- The command generates a signature.json file of the following format:
```json
{
    "hashes": {
        "/filename.php": "2401fed2eea6f2c1027c482a633e8e25cd46701f811e2d2c10dc213fd95fa60e350bccbbebdccc73a042b1a2799f673fbabadc783284cc288e4f1a1eacb74e3d",
        "/lib/base.php": "55548cc16b457cd74241990cc9d3b72b6335f2e5f45eee95171da024087d114fcbc2effc3d5818a6d5d55f2ae960ab39fd0414d0c542b72a3b9e08eb21206dd9"
    },
    "certificate": "-----BEGIN CERTIFICATE-----MIIBvTCCASagAwIBAgIUPvawyqJwCwYazcv7iz16TWxfeUMwDQYJKoZIhvcNAQEF\nBQAwIzEhMB8GA1UECgwYb3duQ2xvdWQgQ29kZSBTaWduaW5nIENBMB4XDTE1MTAx\nNDEzMTcxMFoXDTE2MTAxNDEzMTcxMFowEzERMA8GA1UEAwwIY29udGFjdHMwgZ8w\nDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANoQesGdCW0L2L+a2xITYipixkScrIpB\nkX5Snu3fs45MscDb61xByjBSlFgR4QI6McoCipPw4SUr28EaExVvgPSvqUjYLGps\nfiv0Cvgquzbx/X3mUcdk9LcFo1uWGtrTfkuXSKX41PnJGTr6RQWGIBd1V52q1qbC\nJKkfzyeMeuQfAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAvF/KIhRMQ3tYTmgHWsiM\nwDMgIDb7iaHF0fS+/Nvo4PzoTO/trev6tMyjLbJ7hgdCpz/1sNzE11Cibf6V6dsz\njCE9invP368Xv0bTRObRqeSNsGogGl5ceAvR0c9BG+NRIKHcly3At3gLkS2791bC\niG+UxI/MNcWV0uJg9S63LF8=\n-----END CERTIFICATE-----",
    "signature": "U29tZVNpZ25lZERhdGFFeGFtcGxl"
}
```
`hashes` is an array of all files in the folder with their corresponding SHA512 hashes (this is actually quite cheap to calculate), the `certificate` is the  certificate used for signing. It has to be issued by the ownCloud Root Authority and it's CN needs to be permitted to perform the required action. The `signature` is then a signature of the `hashes` which can be verified using the `certificate`.

Steps to do in other PRs, this is already a quite huge one:
- Add nag screen in case the code check fails to ensure that administrators are aware of this.
- Add code verification also to OCC upgrade and unify display code more.
- Add enforced code verification to apps shipped from the appstore with a level of "official"
- Add enfocrced code verification to apps shipped from the appstore that were already signed in a previous release
- Add some developer documentation on how devs can request their own certificate
- Check when installing ownCloud
- Add support for CRLs to allow revoking certificates

**Note:** The upgrade checks are only run when the instance has a defined release channel of `stable` (defined in `version.php`). If you want to test this, you need to change the channel thus and then generate the core signature:

```
➜  master git:(add-integrity-checker) ✗ ./occ integrity:sign-core --privateKey=resources/codesigning/core.key --certificate=resources/codesigning/core.crt
Successfully signed "core"
```

Then increase the version and you should see something like the following:

![2015-11-04_12-02-57](https://cloud.githubusercontent.com/assets/878997/10936336/6adb1d14-82ec-11e5-8f06-9a74801c9abf.png)

As you can see a failed code check will not prevent the further update. It will instead just be a notice to the admin. In a next step we will add some nag screen.

For packaging stable releases this requires the following additional steps as a last action before zipping:
1. Run `./occ integrity:sign-core` once
2. Run `./occ integrity:sign-app` _for each_ app. However, this can be simply automated using a simple foreach on the apps folder.
2015-12-01 11:55:20 +01:00
Morris Jobke 3b249f1967 Revert "setting to skip migration tests by default"
This reverts commit 7cbdd9b90b.
2015-10-27 21:25:11 +01:00
Joas Schilling 9200bbeaba Update: state which step we are going to start and warn if it might be slow 2015-10-21 09:17:38 +02:00
Thomas Müller 4cb5970947 Always pass in ILogger 2015-10-09 14:08:22 +02:00
Morris Jobke b945d71384 update licence headers via script 2015-10-05 21:15:52 +02:00
Morris Jobke 7cbdd9b90b setting to skip migration tests by default
* if you install owncloud via package it is not
  possible to skip migration tests
* this also allows to disable migration tests for
  an instance by default
2015-10-01 14:23:25 +02:00
Morris Jobke 5acb38b5b3 [upgrade] switch to debug logging on upgrade
* resets afterwards
* adds output about the previous log level
2015-09-29 14:35:32 +02:00
Morris Jobke b5c9196ffc Merge pull request #17088 from owncloud/add-verbosity-to-upgrade
[upgrade] add verbosity check and show repair info & steps
2015-07-01 08:56:06 +02:00
Morris Jobke 4e44cc49d9 Merge pull request #17093 from owncloud/upgrade-timestamp
[upgrade] show timestamp for output during upgrade
2015-07-01 08:55:32 +02:00
Morris Jobke f63915d0c8 update license headers and authors 2015-06-25 14:13:49 +02:00
Morris Jobke 5ff536b45a [upgrade] add verbosity check and show repair info & steps 2015-06-24 10:25:05 +02:00
Joas Schilling dba5d5e205 Use a OutputFormatter instead of hacking into writeln() 2015-06-24 09:26:30 +02:00
Joas Schilling d8b9f6ac23 Use logtimezone and logdateformat 2015-06-24 09:24:28 +02:00
Morris Jobke 0137a3c5e0 [upgrade] show timestamp for output during upgrade
* added --show-timestamp option
2015-06-24 09:24:25 +02:00
Morris Jobke 02b2b60581 Merge pull request #17095 from owncloud/proper-error-handling
Proper error handling
2015-06-23 17:40:55 +02:00
Morris Jobke c86e129ce9 [updater] keep maintenance active on failure and mark failure in red 2015-06-23 14:45:53 +02:00
Morris Jobke 1ba9fd3ada [upgrade] print update message before running the update code
* otherwise you don't know during which app update something failed
2015-06-23 13:13:44 +02:00
Morris Jobke fe42553e8a [updater] propagate error case properly
* add $success to the updateEnd hook
* add new return code for a update failure
* add exception class to failure hook message
2015-06-23 10:03:27 +02:00
Thomas Müller 739c3f01aa Merge pull request #16434 from owncloud/persist-maintenance-state
Persist the state of the maintenance after an upgrade
2015-06-03 13:56:17 +02:00
Steffen Lindner 48040c46cb Skip disable3rdParty Apps 2015-05-20 17:06:00 +02:00
Morris Jobke 064f5204cc Persist the state of the maintenance after an upgrade
* if maintenance mode was enabled before an upgrade
  it will be enabled afterwards too
* fixes #16429
2015-05-19 10:56:04 +02:00
Morris Jobke cb909cda97 Add info message for upgrade of an 3rdparty app 2015-05-12 18:02:31 +02:00
Thomas Müller a4171b295d More elaborate command description for upgrade - fixes #14864 2015-03-26 22:30:35 +01:00
Jenkins for ownCloud b585d87d9d Update license headers 2015-03-26 11:44:36 +01:00
Vincent Petry 22bc37cb82 Properly forward repair errors and warnings
This makes repair errors and warnings visible for the user when
upgrading on the command line or in the web UI.
2015-02-27 12:44:04 +01:00
Morris Jobke 06aef4e8b1 Revert "Updating license headers"
This reverts commit 6a1a4880f0.
2015-02-26 11:37:37 +01:00
Thomas Müller 58cedc07b5 print app upgrade information to console as well 2015-02-24 12:52:16 +01:00
Thomas Müller bbf7f56f94 3rd-party apps are disabled on upgrade - refs #14026 2015-02-24 12:02:36 +01:00
Jenkins for ownCloud 6a1a4880f0 Updating license headers 2015-02-23 12:13:59 +01:00
Victor Dubiniuk c9fd3c9d29 Inject config 2014-12-10 01:13:38 +03:00
Victor Dubiniuk 303fce44f4 Use httphelper and cache response even when it empty 2014-12-06 20:17:47 +03:00
Thomas Müller 136b0c22c9 Fix ctor call in OC\Core\Command\Upgrade 2014-11-03 13:53:59 +01:00
Thomas Müller a348a6f450 no loner use deprecated class \OC_Config 2014-09-22 12:04:48 +02:00
Thomas Müller e655d32979 remove bootstrapping - occ can by definition only be executed if ownCloud is installed - base.php is required earlier already 2014-09-22 12:00:22 +02:00
Thomas Müller 43c191fffb show upgrade errors as error in the console and report back that the upgrade process failed if it did 2014-09-22 11:59:13 +02:00
Vincent Petry 5e27ac3e0d Added CLI arguments for upgrade simulation steps
Added "dry run" argument to only run the update simulation.
Added argument to disable migration (useful for bigger setups where
table duplication would take too much space)
2014-06-06 10:11:14 +02:00
Vincent Petry 5b97369b00 Simulate apps database schema update on upgrade
When upgrade, also simulate the database schema update for apps before
doing the actual upgrade.
2014-06-04 17:16:44 +02:00
Vincent Petry 02f682b156 Now showing disabled apps as upgrade status line
- Added app id in update overview.
- Added status message for disabled app for CLI upgrade and web upgrade
2014-05-27 15:20:33 +02:00
Thomas Müller 6ff96b34ad Merge branch 'master' into load-apps-proper-master
Conflicts:
	apps/files/ajax/rawlist.php
	cron.php
	ocs/v1.php
2014-03-21 14:05:08 +01:00
Thomas Müller 6b9ae27b90 drop file cache migration OC5 -> OC6 2014-03-18 17:14:38 +01:00
Vincent Petry 1a116828cf Added warning for trusted_domains after CLI upgrade
If trusted_domains is not set after a CLI upgrade, show a warning in the
output.
2014-03-14 11:16:45 +01:00
Scrutinizer Auto-Fixer adaee6a5a1 Scrutinizer Auto-Fixes
This patch was automatically generated as part of the following inspection:
https://scrutinizer-ci.com/g/owncloud/core/inspections/cdfecc4e-a37e-4233-8025-f0d7252a8720

Enabled analysis tools:
 - PHP Analyzer
 - JSHint
 - PHP Copy/Paste Detector
 - PHP PDepend
2014-02-19 09:31:54 +01:00
Thomas Müller afbe50d09c remove global variable $RUNTIME_NOAPPS - it's just superfluous 2014-02-06 09:44:13 +01:00
Andreas Fischer 70111ea299 Add some color to the occ upgrade output. 2013-10-28 22:26:44 +01:00
Andreas Fischer b8dbec0da4 Use "else if" to remove one level of indentation. 2013-10-28 22:22:59 +01:00
ringmaster f130caa4a2 Missed one write()->writeln(). Fixed. 2013-10-28 17:06:36 -04:00
ringmaster bca1e12597 Use writeln() instead of write() 2013-10-28 16:53:36 -04:00
ringmaster d1c5e5d777 Use the OutputInterface for output and return error codes. 2013-10-28 16:50:28 -04:00
ringmaster a24cbb50af Move all upgrade routines into the command-line tool. 2013-10-28 10:15:56 -04:00
ringmaster 29a21466f3 Add `occ upgrade` command. 2013-10-24 13:59:39 -04:00