-
-
Notifications
You must be signed in to change notification settings - Fork 4.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enhance signature algorithm for code signatures #24727
Conversation
17b1392
to
7253839
Compare
Setting to 22, otherwise already published apps will fail hard on install |
This comment has been minimized.
This comment has been minimized.
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
But also check it if the new signatures are there Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
Signed-off-by: Joas Schilling <coding@schilljs.com>
73389ed
to
25df593
Compare
This comment has been minimized.
This comment has been minimized.
Conflicts and 22, setting back to developing |
This comment has been minimized.
This comment has been minimized.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Seems to work, so approving in advance
|
||
if ($forceHash && isset($signatureData['signatures'][$forceHash])) { | ||
// Check the sha512 hash | ||
$rsa->setHash($forceHash); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That scares me a bit because it could eventually lead to something like https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/, in which there is a null
algorithm or something eventually.
Can we instead pass a version identifier (e.g. 2 == SHA512)?
$minVersion = $this->infoParser->getMinVersion($path . '/appinfo/info.xml'); | ||
$forceHash = null; | ||
if ($minVersion >= 22) { | ||
$forceHash = 'sha512'; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you elaborate the reason for the hardcoding here? :)
@LukasReschke do you want/can to take over? Or else we move for 23 :) |
-> 23. I feel it's a bit late for this change now. |
As there is no feedback since a while I will close this ticket. |
No description provided.