ownCloud supports code signing for the core releases, and for ownCloud applications. Code signing gives our users an additional layer of security by ensuring that nobody other than authorized persons can push updates.
It also ensures that all upgrades have been executed properly, so that no files are left behind, and all old files are properly replaced. In the past, invalid updates were a significant source of errors when updating ownCloud.
By supporting Code Signing we add another layer of security by ensuring that nobody other than authorized persons can push updates for applications, and ensuring proper upgrades.
The ownCloud project is open source and always will be. We do not want to make it more difficult for our users to run ownCloud. Any code signing errors on upgrades will not prevent ownCloud from running, but will display a warning on the Admin page. For applications that are not tagged “Official” the code signing process is optional.
The ownCloud project is open source and always will be. The code signing process is optional, though highly recommended. The code check for the core parts of ownCloud is enabled when the ownCloud release version branch has been set to stable.
For custom distributions of ownCloud it is recommended to change the release version branch in version.php to something else than “stable”.
Code signing is optional for all third-party applications. Applications with a tag of “Official” on apps.owncloud.com require code signing.
ownCloud uses a X.509 based approach to handle authentication of code. Each ownCloud release contains the certificate of a shipped ownCloud Code Signing Root Authority. The private key of this certificate is only accessible to the project leader, who may grant trusted project members with a copy of this private key.
This Root Authority is only used for signing certificate signing requests (CSRs) for additional certificates. Certificates issued by the Root Authority must always to be limited to a specific scope, usually the application identifier. This enforcement is done using the CN attribute of the certificate.
Code signing is then done by creating a signature.json file with the following content:
{
"hashes": {
"/filename.php":
"2401fed2eea6f2c1027c482a633e8e25cd46701f811e2d2c10dc213fd95fa60e350b
ccbbebdccc73a042b1a2799f673fbabadc783284cc288e4f1a1eacb74e3d",
"/lib/base.php":
"55548cc16b457cd74241990cc9d3b72b6335f2e5f45eee95171da024087d114fcbc2
effc3d5818a6d5d55f2ae960ab39fd0414d0c542b72a3b9e08eb21206dd9"
},
"certificate": "-----BEGIN CERTIFICATE-----
MIIBvTCCASagAwIBAgIUPvawyqJwCwYazcv7iz16TWxfeUMwDQYJKoZIhvcNAQEF\
nBQAwIzEhMB8GA1UECgwYb3duQ2xvdWQgQ29kZSBTaWduaW5nIENBMB4XDTE1MTAx\
nNDEzMTcxMFoXDTE2MTAxNDEzMTcxMFowEzERMA8GA1UEAwwIY29udGFjdHMwgZ8w\
nDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANoQesGdCW0L2L+a2xITYipixkScrIpB\
nkX5Snu3fs45MscDb61xByjBSlFgR4QI6McoCipPw4SUr28EaExVvgPSvqUjYLGps\
nfiv0Cvgquzbx/X3mUcdk9LcFo1uWGtrTfkuXSKX41PnJGTr6RQWGIBd1V52q1qbC\
nJKkfzyeMeuQfAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAvF/KIhRMQ3tYTmgHWsiM\
nwDMgIDb7iaHF0fS+/Nvo4PzoTO/trev6tMyjLbJ7hgdCpz/1sNzE11Cibf6V6dsz\
njCE9invP368Xv0bTRObRqeSNsGogGl5ceAvR0c9BG+NRIKHcly3At3gLkS2791bC\
niG+UxI/MNcWV0uJg9S63LF8=\n
-----END CERTIFICATE-----",
"signature": "U29tZVNpZ25lZERhdGFFeGFtcGxl"
}
hashes is an array of all files in the folder with their corresponding SHA-512 hashes. certificate is the certificate used for signing. It has to be issued by the ownCloud Root Authority, and its CN needs to be permitted to perform the required action. The signature is then a signature of the hashes which can be verified using the certificate.
Having the certificate bundled within the signature.json file has the advantage that even if a developer loses their certificate, future updates can still be ensured by having a new certificate issued.
The following commands require that you have OpenSSL installed on your machine. Ensure that you keep all generated files to sign your application. The following examples will assume that you are trying to sign an application named “contacts”.
The occ tool will store a signature.json file within the appinfo folder of your application. Then compress the application folder and upload it to apps.owncloud.com. Be aware that doing any changes to the application after it has been signed requires another signing. So if you do not want to have some files shipped remove them before running the signing command.
In case you lose your certificate please submit a new CSR as described above and mention that you have lost the previous one. ownCloud will revoke the old certificate.
If you maintain an app together with multiple people it is recommended to designate a release manager responsible for the signing process as well as the uploading to apps.owncloud.com. If there are cases where this is not feasible and multiple certificates are required ownCloud can create them on a case by case basis. We do not recommend developers to share their private key.
The following errors can be encountered when trying to verify a code signature. For information about how to get access to those results please refer to the Issues section of the ownCloud Server Administration manual.