FS#73667 - [nextcloud] package v 23.0.1-1 produces code integrity check failures

Attached to Project: Community Packages
Opened by Markus (wolegis) - Monday, 07 February 2022, 13:13 GMT
Last edited by freswa (frederik) - Tuesday, 08 February 2022, 12:11 GMT
Task Type Bug Report
Category Packages
Status Closed
Assigned To No-one
Architecture All
Severity Critical
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 2
Private No

Details

Description:

Installing the latest version of nextcloud package produced code integrity check failures

Details see https://gist.github.com/wolegis/91d21404c72abd40e9628cd649b286ac

What bothers me: No way on Nextcloud's website to download 23.0.1.

I finally managed to get hold of the tar-ball by manually manipulating the download URL of 23.0.0.

https://download.nextcloud.com/server/releases/nextcloud-23.0.1.tar.bz2

A few random checks revealed: The [expected] hashes match what can be found in the tar-ball. I'm confused...

Has the 23.0.1 tar-ball silently been replaced by some other version since the Arch Linux package was built?


Steps to reproduce:

Ugrade to version 23.0.1-1, log-in as admin, go to Settings, Overview. This triggers the code integrity check.
This task depends upon

Closed by  freswa (frederik)
Tuesday, 08 February 2022, 12:11 GMT
Reason for closing:  Won't fix
Additional comments about closing:  We can't alter signed hashes.
Comment by Markus (wolegis) - Monday, 07 February 2022, 13:45 GMT
> A few random checks revealed: The [expected] hashes match what can be found in the tar-ball.

Some other random checks verified that the [current] hashes match what can be found in the Arch linux package.

So I more and more come to the conclusion that

1. 23.0.1 has not been officially released yet and because of that

2. the Nextcloud guys took the liberty to update the tar-ball on their download server at least once.
Comment by David Runge (dvzrv) - Monday, 07 February 2022, 13:57 GMT
@wolegis: This is because we are applying patches [1] for php 8.1 compatibility. Until nextcloud 24.0.0 there is not much we can do about this I'm afraid (see  FS#73452 ).


[1] https://github.com/archlinux/svntogit-community/blob/3416e0d640dd0960e9fabf18fdc443bc295a0976/trunk/PKGBUILD#L88-L97
Comment by Michael Gwin (oksijun) - Tuesday, 08 February 2022, 11:36 GMT
  • Field changed: Percent Complete (100% → 0%)
The hashes that the code integrity checks rely on should be updated to reflect the patched code.
Comment by freswa (frederik) - Tuesday, 08 February 2022, 11:47 GMT
The hashes are hardcoded in core/signature.json
Comment by Markus (wolegis) - Tuesday, 08 February 2022, 12:05 GMT
@oksijun, @frederik don't forget to look at the end of the signature.json files. (Yes, there are more than just one below core.) They also contain a signature and a certifcate. So apparently the signature.json not just contain simple hash values but are also cryptographically signed. Feel free to reverse-engineer how this is actually accomplished and then provide Dave with the details how he can replace them with an updated version that is easily accepted by the Nextcloud code.

Loading...