From a06b62f901343f5e5400407450663b83926c67d8 Mon Sep 17 00:00:00 2001 From: Lukas Reschke Date: Wed, 3 Feb 2016 19:07:50 +0100 Subject: [PATCH 1/4] Use intermediate root authority Danimo proposed to use an intermediate root authority for signing purposes which makes sense considering that we may also sign updates this way in the future. So this uses now an intermediate authority. --- resources/codesigning/core.crt | 46 ++++++++-------- resources/codesigning/root.crt | 98 ++++++++++++++++++++++------------ 2 files changed, 87 insertions(+), 57 deletions(-) diff --git a/resources/codesigning/core.crt b/resources/codesigning/core.crt index 0692e940186..556161f93ea 100644 --- a/resources/codesigning/core.crt +++ b/resources/codesigning/core.crt @@ -1,24 +1,24 @@ -----BEGIN CERTIFICATE----- -MIID/TCCAeUCAhAAMA0GCSqGSIb3DQEBCwUAMHkxFjAUBgNVBAoTDW93bkNsb3Vk -IEluYy4xEjAQBgNVBAcTCUxleGluZ3RvbjEPMA0GA1UECBMGQm9zdG9uMQswCQYD -VQQGEwJVUzEtMCsGA1UEAxMkb3duQ2xvdWQgQ29kZSBTaWduaW5nIFJvb3QgQXV0 -aG9yaXR5MB4XDTE2MDIwMzE3MTM0NVoXDTI2MDEzMTE3MTM0NVowDzENMAsGA1UE -AwwEY29yZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKzP4ujnvS9l -otPJ7zHZMD8IGgcuYVtZ40n4pWSArhJboazhMdadpfxEZAghZtzkK+AKz4V+92GV -UOf+FgFRMcsaaBFr9INE4tdYKPVfHq19sDZVhYySfg7/z9qWc9XTMAm1lWpFyDQb -CC0i1YFogk0JdPr5Ay2Ftgbbr+TtMduL0RshdClqoiwntLnFhu8VRZi3+/yHH2cN -M5ANjm/MXT8Ae6KMVOzsYhBcxMLNVL08Ih1ubtu4LbKgyT5ShYzxqRnJ8U1KlmVT -w/wsSGMvVTEJkozkQEyg88vkxwvqLLYs5bOvXY93S6YKb2gO7RAA2c/IaEDbL32t -TJJhRoPif9cCAwEAATANBgkqhkiG9w0BAQsFAAOCAgEAiRhcef1Tc0Lj4BWIxYDV -Fjkrd4HHe3FyZRdD1+NU4LSb/4xXknmrwu5tITrnoGqNfUGn9BlP5Ek7Iu15PMPi -8Us8xszvgMZ7BG3x4zTMHwUseLT56/+qE76VN2vXusQBuEhOll/WN2qHvPi8BOCk -fOL6/EIUdqfMh9FKGNKOJ5f95eKogyVVxVcUpGWoqZRQTJaNMBTdT8Zwv1aTLRgp -Vf8JFzmxG9Atc/00w7cg4tV4lUpZafn1RYaIi4DWZhI43yR+Z8CKQBXt7iufu0QD -VwWOqYjmK7aKB2bL3+8I2bL9pm9DUKrAPYSObdmasJQGFVNCILisWJjX5wlUC2IL -FtMfZ4egyWZTLeQ+VQt92cJeVZYins5GECm1SqgXGnmQWv01/wNIqUhLuVFoLyVv -aPhCYcjNcbwJm8m++kz/G6+5AhRv2JrZq3i1Cw/yRQuiotXrJE+ukIvvSEjlLJ0C -Njm7EMy1mNfhIi1Xel/aUaf0y92GMsfnCuzI+tRG50HHupLEXHItlg2RILmNQNpo -woqHpUZs5G5HZlE5ZnffJlZpJyqA1EpQDh1XXJqcVwV50V9o+CMvxXO8s2lUA+i6 -Kay+t3mz2dX6qflRUPLsPS4XLdB9MUiIHCOgMJfsK+9SZ+i1VymhV5UYx8rqglC7 -8crw8NpiIuOqQZW8LcZXZBU= ------END CERTIFICATE----- \ No newline at end of file +MIID8TCCAdkCAhAAMA0GCSqGSIb3DQEBCwUAMG0xCzAJBgNVBAYTAlVTMQ8wDQYD +VQQIDAZCb3N0b24xFjAUBgNVBAoMDW93bkNsb3VkIEluYy4xNTAzBgNVBAMMLG93 +bkNsb3VkIENvZGUgU2lnbmluZyBJbnRlcm1lZGlhdGUgQXV0aG9yaXR5MB4XDTE2 +MDIwMzE3NTE0OVoXDTI2MDEzMTE3NTE0OVowDzENMAsGA1UEAwwEY29yZTCCASIw +DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPHdSljnHI+ueQd27UyWPO9n4Lqt +bK0kdekiC3si7Mee7uXXJaGuqXJozHEZYB1LIFLdCU/itCxEk9hyLcyNzeT+nRT/ +zDuOYdbLgCj7/A5bX+u3jc29UlCYybSFchfMdvn7a0njCna4dE+73b4yEj16tS2h +S1EUygSzgicWlJqMD3Z9Qc+zLEpdhq9oDdDB8HURi2NW4KzIraVncSH+zF1QduOh +nERDnF8x48D3FLdTxGA0W/Kg4gYsq4NRvU6g3DJNdp4YfqRSFMmLFDCgzDuhan7D +wgRlI9NAeHbnyoUPtrDBUceI7shIbC/i87xk9ptqV0AyFonkJtK6lWwZjNkCAwEA +ATANBgkqhkiG9w0BAQsFAAOCAgEAAMgymqZE1YaHYlRGwvTE7gGDY3gmFOMaxQL4 +E5m0CnkBz4BdIPRsQFFdOv3l/MIWkw5ED3vUB925VpQZYFSiEuv5NbnlPaHZlIMI +n8AV/sTP5jue3LhtAN4EM63xNBhudAT6wVsvGwOuQOx9Xv+ptO8Po7sTuNYP0CMH +EOQN+/q8tYlSm2VW+dAlaJ+zVZwZldhVjL+lSH4E9ktWn3PmgNQeKfcnJISUbus6 +ZtsYDF/X96/Z2ZQvMXOKksgvU6XlvIxllcyebC9Bxe/h0D63GCO2tqN5CWQzIIqn +apUynPX8BlLaaExqYGERwlUi/yOGaUVPUjEPVehviOQYgAqxlrkJk1dWeCrwUori +CXpi+IUYkidfgiJ9F88M3ElpwqIaXp7G3/4oHBuE2u6M+L+1/vqPJeTCAWUxxpJE +yYmM+db6D4TySFpQPENNzPS8bpR6T8w2hRumkldC42HrnyJJbpjOieTXhXzjdPvZ +IEP9JGtkhB2du6nBF2MNAq2TqRXpcfQrQEbnQ13aV9bl+roTwwO+SOWK/wgvdOMI +STQ0Xk0sTGlmQjPYPkibVceaWMR3sX4cNt5c33YhJys5jxHoAh42km4nN9tfykR5 +crl5lBlKjXh2GP0+omSO3x1jX4+iQPCW2TWoyKkUdLu/hGHG2w8RrTeme+kATECH +YSu356M= +-----END CERTIFICATE---- \ No newline at end of file diff --git a/resources/codesigning/root.crt b/resources/codesigning/root.crt index 201164feb0c..cbd82898bab 100644 --- a/resources/codesigning/root.crt +++ b/resources/codesigning/root.crt @@ -1,36 +1,66 @@ -----BEGIN CERTIFICATE----- -MIIGVDCCBDygAwIBAgIJAJGMJhEr5q3dMA0GCSqGSIb3DQEBCwUAMHkxFjAUBgNV -BAoTDW93bkNsb3VkIEluYy4xEjAQBgNVBAcTCUxleGluZ3RvbjEPMA0GA1UECBMG -Qm9zdG9uMQswCQYDVQQGEwJVUzEtMCsGA1UEAxMkb3duQ2xvdWQgQ29kZSBTaWdu -aW5nIFJvb3QgQXV0aG9yaXR5MB4XDTE2MDIwMzE3MDYyOVoXDTI2MDEzMTE3MDYy -OVoweTEWMBQGA1UEChMNb3duQ2xvdWQgSW5jLjESMBAGA1UEBxMJTGV4aW5ndG9u -MQ8wDQYDVQQIEwZCb3N0b24xCzAJBgNVBAYTAlVTMS0wKwYDVQQDEyRvd25DbG91 -ZCBDb2RlIFNpZ25pbmcgUm9vdCBBdXRob3JpdHkwggIiMA0GCSqGSIb3DQEBAQUA -A4ICDwAwggIKAoICAQDGAqfV+pZuKD9rKsny6PxQWYV35bJYo2xdYxFpd8oI/Fco -Ygjv5iZc9U4/iY0mN3wSDjYXJtMQnO96qthSI/bqsxrD9wutRKXYo/VEZALWL8vR -F+cRpgmCrq98tF7fNEhEX2PdVlmwEWV8c7wL+QAd+qXrVz+MyJyw6jlh5JzEEqAR -kNNRFm2d5+FPgWZeBNE0tbj7XxBTFTn/OMAOndhLo2dwhTXu6t2Caq15IZt6YoPM -Ibn/Y3c2E76vpfWCznB4uEsEx4C4Hkdmzu5BwjPjcnPoFGobHaURMnwrEOI1s0cn -V7kl2120I2Dr29NTL4vgnxRM2SQp3253NVmy9EbabszwfHy9bGH5G6IKQyTLyJHG -AIAN3QHfr86N3t/ELekNb8bbh+2OBzuytMbTPlauKny7isVfciGUfnJgU54mMbIc -1XBiYEgKjdkq/IEiYkjtOToS29AvCnDkH82piEeW0TMmcNN7/Vq79S1YR4ceZ4PQ -d0Qm0y59nXPVZMso5em39TJH1PRwe93RPDN8NM434sfbdjqMqDi+3E+urG01AzwT -BZj8lUvD/FvDB1no2p4/JKeHmlR/AQmfWFA0c6dv5DlzeIldwar4paDER9McGXvy -GSTDVEhdEJrbK8pQh2pIkHZ6WkuMyTXDMTvyRtuPwlk68MVmYic/AHUSLrGT0wID -AQABo4HeMIHbMAwGA1UdEwQFMAMBAf8wHQYDVR0OBBYEFM2KMEEv31J4fR3ufEH6 -yiLvmRPmMIGrBgNVHSMEgaMwgaCAFM2KMEEv31J4fR3ufEH6yiLvmRPmoX2kezB5 -MRYwFAYDVQQKEw1vd25DbG91ZCBJbmMuMRIwEAYDVQQHEwlMZXhpbmd0b24xDzAN -BgNVBAgTBkJvc3RvbjELMAkGA1UEBhMCVVMxLTArBgNVBAMTJG93bkNsb3VkIENv -ZGUgU2lnbmluZyBSb290IEF1dGhvcml0eYIJAJGMJhEr5q3dMA0GCSqGSIb3DQEB -CwUAA4ICAQBDLisFDvjYv8nbAAfqU9A8q9nTtA5XAmRPBE4zoawesFnyYRPD5xf8 -+/L9p3z7c5V4ui3yERd6PeNpMKW3NsY0TL6k3rYONQRwkNWE5eLcTelhVbqUBWoQ -vTPJqQzP6HvOuErHv2yDBhO8graQiw8S3OOhQycrcPtSzGnenhvcYSJgJscx1EcE -DAbTxfrTIyPgX4ouyoQPpPufUFYqYL/rNf9Ca03Gekyn9WFe9WGR7PzaKjn0dOQq -wA9cPNitvwG//0emWZeH9naE4NPerzhwITyMDJUmQgZ/hW+lTTaZfISPQmMi24za -00PbfeMYRNrkw21VkwkqLHqj9l7ud3hmyoTjKHdO8zOfeVyv3OfJmRLubv+x+wDE -JSJNSyvgtMIlQ4WsM3mXUesN//3NsSGt/QUy9ARD7Nf8u1igchdxJLavXCJmnwYa -jxxnGk16q1R5OJqDN9IbSbxRiS/WWKTJkhMBVQtsHMD2MK4Gtbw/J2n/4M/zioiS -iZW1Eg1kI163oD/obEa5KzxJz+RXBGZef07q37Um8RTQ2kjI65sr/9oZ9tHdF9Zb -vPGFcj/viac6O8Z9fDovTCfMHiGKwgDhrsQFkQz1/BEl2P1FIzNQeDBfyI7bI82x -GIt/Th0uI+YIkhA0kLlq4cCoBjl0fL6hCy5DADdAMWFOwmUzG8EJWA== +MIIFtDCCA5ygAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwZTELMAkGA1UEBhMCVVMx +DzANBgNVBAgMBkJvc3RvbjEWMBQGA1UECgwNb3duQ2xvdWQgSW5jLjEtMCsGA1UE +Awwkb3duQ2xvdWQgQ29kZSBTaWduaW5nIFJvb3QgQXV0aG9yaXR5MB4XDTE2MDIw +MzE3NDMyNVoXDTI2MDEzMTE3NDMyNVowbTELMAkGA1UEBhMCVVMxDzANBgNVBAgM +BkJvc3RvbjEWMBQGA1UECgwNb3duQ2xvdWQgSW5jLjE1MDMGA1UEAwwsb3duQ2xv +dWQgQ29kZSBTaWduaW5nIEludGVybWVkaWF0ZSBBdXRob3JpdHkwggIiMA0GCSqG +SIb3DQEBAQUAA4ICDwAwggIKAoICAQDKMul4pWev6vtgzB73CLQPMy8nDZGbvqII +IgukQluMeLCW0P09I+J/mCiDd99mQTtWO+/LcpOChHYJ59qQz+g9TzKlVSuFDg47 +pc+jUvTLGGEDf9cAWtzsXYXlb9z7sTln/8JAvy8ghmaR/4JWU4hM/nmgDCpeXLLJ +NFrxKDbzPLYj53iHN+XyE9GT6sDYoQd1BIWhTsMdvMqg870Jw2yN4hKw3V7/KoI/ +Z5CAA9dP4tAmltBpMz79dmLCciqXOD8mWEWl2tSZU+/WVyPxiE19IHoJETOhSg4c +eud4DDdFt9Ohm4owvpxxRDbvV+Ic6sWb1gJBrM7/XJDmaUObpowjx8Daof1MuoHs +FKh6/Y7RBdVlrp/ig3htxfm9BBMqnXIxgFWDiSbjCMk0Ygvx49gKMnVoRhZ/7pla +j5nTRdbhsjS50E9zfc53EltM27YSwNZu62QKsU4yumg8UOhOYPRLHcySvNyyMZXS +o+Kst27oGSgurHytFS7FVG1M3UUn67zkMpnnMYhfx8dz7+tupY9e0l0kDciwvNAO +YrnvHoEiIbJmoyYOhL2j9WErUhAb3JKTSdYC0MmjaZZPv0HwCemx+rnApcoszmFG +woZTRAa6Q64WGxlmFq0vsgmcTNsTzlYY20Kv+ZpZOiVYonyHFkorKWdsXKZQcnYq +dcMqYxQE6wIDAQABo2YwZDAdBgNVHQ4EFgQUfZoNPRneQ1pk9SZT9A2lpG4Hw7Mw +HwYDVR0jBBgwFoAUcZdiBiGr+Y+OH2DrlNwK03zWH+YwEgYDVR0TAQH/BAgwBgEB +/wIBADAOBgNVHQ8BAf8EBAMCAYYwDQYJKoZIhvcNAQELBQADggIBAA2hoAEdbdM9 ++ZA/q7UppF4BiKrSQNAQHLDwodutRY+gBYQsWpo8wLqdLvRVhlwDn3KmJEMfaDQm +5YM+/snBkew9olCIyYw+t7xYtNhoW1et/nNNDL+Qq7uyH6g+uOMp4m3c+BMv4x5H +EP3z7PY1qrPOVvzZu8o2iL8qpC0sXTKZy+xG/9VTYGnxCcG+V/Ua5aHOyetUttoN +bxEcEQHHe07V+JlCPuI53hPsiGgzHv+nz/1sJV95mn9w88SHY0JO9bHp9w+mq92K +r0Nv6Wctf7vNVmIOdRFHWOFie4+D3TpBSnB5PPQRbtf6IVEhjmcnWYBWcRGhH6cR +4dqpuqzwVFopIFLYMeaeKGu8wZHi2YRrkFcrnqqmFI9RtBbt3eyfUQcKH7b9P4Ri +qamb/h9sVjDM4wSQ6n+Qa2dgV28O0il35roa3qwvqySgn1wXS5CsAaeB1VWAS6/S +v1WFt93n9LrraV4EUuu1BGXp525aVn6v+B71zN4JzYnHVE4yAb0EdOpKrlfmCCm/ +9Z90+BF2uK3QnpkyrH+LEOQoHrlAt80RZYd2Tl/K1WWNrPUlnCGXdxjVYakVRnfy +Ud0KV4RsD93mNw/t2gU5U+SyYWU2fTJUE9qdJ4Ndw7B2DZ/5dcsu0rDV4sXkUoDY ++Dr25NoOcuqjCWRw2T3SBPSXBxjlhRTQ +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIFsDCCA5igAwIBAgIJALFuk51OGp2KMA0GCSqGSIb3DQEBCwUAMGUxCzAJBgNV +BAYTAlVTMQ8wDQYDVQQIDAZCb3N0b24xFjAUBgNVBAoMDW93bkNsb3VkIEluYy4x +LTArBgNVBAMMJG93bkNsb3VkIENvZGUgU2lnbmluZyBSb290IEF1dGhvcml0eTAe +Fw0xNjAyMDMxNzM5NThaFw0yNjAxMzExNzM5NThaMGUxCzAJBgNVBAYTAlVTMQ8w +DQYDVQQIDAZCb3N0b24xFjAUBgNVBAoMDW93bkNsb3VkIEluYy4xLTArBgNVBAMM +JG93bkNsb3VkIENvZGUgU2lnbmluZyBSb290IEF1dGhvcml0eTCCAiIwDQYJKoZI +hvcNAQEBBQADggIPADCCAgoCggIBAJmTnGtGaB0cDtQPxWr2r5FyXFzJ6GIkm4Lb +7iY/DYpIEarbRFwqDCDZ00V+PWsTBBF6qXW5W7eZ+fOOdIEGoNaDuGtIlGVjj3Dz +TZtmcFg0euimfLNYVvYZlPPh4kS3zDRZs30AgAdgq4RHWC4qjElWcVKTwERNQ2ln +gRFRQEv+i2DI7sEK9ZpK7B1SfJ1o1fm/kPL7bVfiYda+QKp0vOxBecDnGV+rfz4t +DT6mBOgwAiZnwojuiigfUJxSisv3roWri+0O+0TiXglV+oUtkIRrs0etkQGWAlgn +H4CC+sZ5N2TiGPH1hksLkXP4mymlio8/x7ax0WfcxeTZu3ok9eK5fwIQVWam6dd9 +klCqZVttKodZYspvdFfwqMlf4lPEIY+r2PIdGjUhKu4FsDhORaGj8WMYRJUR44ls +/r2ktCB/TOsh8DW2Pi9HAgxI4mrdmvL0WMSOBFZRcSC/nTz977oi1iiB2T+s7V0Z +Y0AHMQYiIn83MFB7rb+mVlEoLID/evVSTfUaUaO8DqcfeQN/OFM/zcJY9YHv8AlJ +3b8CPdeX9edMnyZWNdrhOSawjAbOBIna3o66RXdeC3oWg7FuckJmy7JLtRCJ2Owu +losRAxe0z5mQmjFzMczxCYJQ4A+4U5UZwbd/MQJg508StcOumroYqruDic/Wbc3C +v6DupG8dAgMBAAGjYzBhMB0GA1UdDgQWBBRxl2IGIav5j44fYOuU3ArTfNYf5jAf +BgNVHSMEGDAWgBRxl2IGIav5j44fYOuU3ArTfNYf5jAPBgNVHRMBAf8EBTADAQH/ +MA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0BAQsFAAOCAgEAR6IZBOBw3KzRxvUP ++46RZYayMrdLyAgMzbDvQe7WCaeuA2UoPVL8jN7X2Lvw12Mz84+EKs1voR0OBxlY +6muuyl0SETa2k4UtklVscMvcokG+m5aVNJ7/HHGFmKsTyJDMxSzDA/r3KRPXZOwV +CLUVTkr5fQbIaVljA89U2p3pN/X7gNq89xi/XiszNCEIvvSscRmBGlRmx4XbjXHK +XKO74+HiM/ahqUI792ae97jlsy9jG4OIelse3+e1KBWNsGtU90asnUHgyMXVL8gp +ocznGvWceAhkcogUCUCXq1Rh/mKcGQdi2z0g/X+MGzfA9Ij4NQZLnNPh2UjgxCtG +KWPUzs0t/xoCtJh1WpwqTrOUcYqFAaBa282sD/O8tX4t076aGKdbhfo6tvaOFwDU +iRPgdMol++BFnfCld53Yivg2+S6+xo1wzuPkNjVFXHjx9vMyiov/HHKqJoBsuCwU +7VegzM/6Cvh32lSZfUHsfynCab/7vv923KyaANWxb0QsHZSSt+mmOK3ZmC96vCEa +55IGNckOvOGW9yCIz3Q0kEj2hoJs1bw0SkwGWs7N1TkugQjM/S7/Im1LJUxdtqQK +Zjn+8U6U3TR1aKLYEdqHCGcVoRXKDG/S40FHxyeV/9buTI7SSvhzZfj+qasmJe1L +Kd08UdS/im8RwbVSS1mih5hbAHg= -----END CERTIFICATE----- \ No newline at end of file From 5f300ac275036ce0333be50b8a2b5a27e6746f04 Mon Sep 17 00:00:00 2001 From: Lukas Reschke Date: Wed, 3 Feb 2016 19:56:38 +0100 Subject: [PATCH 2/4] Allow specifing the signing path --- core/command/integrity/signcore.php | 10 ++++++---- lib/private/integritycheck/checker.php | 20 +++++++++++++------ .../excludefoldersbypathfilteriterator.php | 9 +++++---- tests/lib/command/integrity/SignCoreTest.php | 19 ++++++++++++++++-- tests/lib/integritycheck/checkertest.php | 12 ++++------- 5 files changed, 46 insertions(+), 24 deletions(-) diff --git a/core/command/integrity/signcore.php b/core/command/integrity/signcore.php index 531a4d33aa3..e5c2de73e00 100644 --- a/core/command/integrity/signcore.php +++ b/core/command/integrity/signcore.php @@ -59,7 +59,8 @@ class SignCore extends Command { ->setName('integrity:sign-core') ->setDescription('Sign core using a private key.') ->addOption('privateKey', null, InputOption::VALUE_REQUIRED, 'Path to private key to use for signing') - ->addOption('certificate', null, InputOption::VALUE_REQUIRED, 'Path to certificate to use for signing'); + ->addOption('certificate', null, InputOption::VALUE_REQUIRED, 'Path to certificate to use for signing') + ->addOption('path', null, InputOption::VALUE_REQUIRED, 'Path of core to sign'); } /** @@ -68,8 +69,9 @@ class SignCore extends Command { protected function execute(InputInterface $input, OutputInterface $output) { $privateKeyPath = $input->getOption('privateKey'); $keyBundlePath = $input->getOption('certificate'); - if(is_null($privateKeyPath) || is_null($keyBundlePath)) { - $output->writeln('--privateKey and --certificate are required.'); + $path = $input->getOption('path'); + if(is_null($privateKeyPath) || is_null($keyBundlePath) || is_null($path)) { + $output->writeln('--privateKey, --certificate and --path are required.'); return null; } @@ -91,7 +93,7 @@ class SignCore extends Command { $x509 = new X509(); $x509->loadX509($keyBundle); $x509->setPrivateKey($rsa); - $this->checker->writeCoreSignature($x509, $rsa); + $this->checker->writeCoreSignature($x509, $rsa, $path); $output->writeln('Successfully signed "core"'); } diff --git a/lib/private/integritycheck/checker.php b/lib/private/integritycheck/checker.php index c256fe66d32..352b18f672e 100644 --- a/lib/private/integritycheck/checker.php +++ b/lib/private/integritycheck/checker.php @@ -113,16 +113,22 @@ class Checker { * Enumerates all files belonging to the folder. Sensible defaults are excluded. * * @param string $folderToIterate + * @param string $root * @return \RecursiveIteratorIterator * @throws \Exception */ - private function getFolderIterator($folderToIterate) { + private function getFolderIterator($folderToIterate, $root = '') { $dirItr = new \RecursiveDirectoryIterator( $folderToIterate, \RecursiveDirectoryIterator::SKIP_DOTS ); + if($root === '') { + $root = \OC::$SERVERROOT; + } + $root = rtrim($root, '/'); + $excludeGenericFilesIterator = new ExcludeFileByNameFilterIterator($dirItr); - $excludeFoldersIterator = new ExcludeFoldersByPathFilterIterator($excludeGenericFilesIterator); + $excludeFoldersIterator = new ExcludeFoldersByPathFilterIterator($excludeGenericFilesIterator, $root); return new \RecursiveIteratorIterator( $excludeFoldersIterator, @@ -234,14 +240,16 @@ class Checker { * * @param X509 $certificate * @param RSA $rsa + * @param string $path */ public function writeCoreSignature(X509 $certificate, - RSA $rsa) { - $iterator = $this->getFolderIterator($this->environmentHelper->getServerRoot()); - $hashes = $this->generateHashes($iterator, $this->environmentHelper->getServerRoot()); + RSA $rsa, + $path) { + $iterator = $this->getFolderIterator($path, $path); + $hashes = $this->generateHashes($iterator, $path); $signatureData = $this->createSignatureData($hashes, $certificate, $rsa); $this->fileAccessHelper->file_put_contents( - $this->environmentHelper->getServerRoot() . '/core/signature.json', + $path . '/core/signature.json', json_encode($signatureData, JSON_PRETTY_PRINT) ); } diff --git a/lib/private/integritycheck/iterator/excludefoldersbypathfilteriterator.php b/lib/private/integritycheck/iterator/excludefoldersbypathfilteriterator.php index c3994197fc6..67bcd423b68 100644 --- a/lib/private/integritycheck/iterator/excludefoldersbypathfilteriterator.php +++ b/lib/private/integritycheck/iterator/excludefoldersbypathfilteriterator.php @@ -24,7 +24,7 @@ namespace OC\IntegrityCheck\Iterator; class ExcludeFoldersByPathFilterIterator extends \RecursiveFilterIterator { private $excludedFolders = []; - public function __construct(\RecursiveIterator $iterator) { + public function __construct(\RecursiveIterator $iterator, $root = '') { parent::__construct($iterator); $appFolders = \OC::$APPSROOTS; @@ -33,9 +33,10 @@ class ExcludeFoldersByPathFilterIterator extends \RecursiveFilterIterator { } $this->excludedFolders = array_merge([ - rtrim(\OC::$server->getConfig()->getSystemValue('datadirectory', \OC::$SERVERROOT . '/data'), '/'), - rtrim(\OC::$SERVERROOT.'/themes', '/'), - rtrim(\OC::$SERVERROOT.'/config', '/'), + rtrim($root . '/data', '/'), + rtrim($root .'/themes', '/'), + rtrim($root.'/config', '/'), + rtrim($root.'/apps', '/'), ], $appFolders); } diff --git a/tests/lib/command/integrity/SignCoreTest.php b/tests/lib/command/integrity/SignCoreTest.php index 885c6fc664e..ff1f6b23a95 100644 --- a/tests/lib/command/integrity/SignCoreTest.php +++ b/tests/lib/command/integrity/SignCoreTest.php @@ -63,7 +63,7 @@ class SignCoreTest extends TestCase { $outputInterface ->expects($this->at(0)) ->method('writeln') - ->with('--privateKey and --certificate are required.'); + ->with('--privateKey, --certificate and --path are required.'); $this->invokePrivate($this->signCore, 'execute', [$inputInterface, $outputInterface]); } @@ -86,7 +86,7 @@ class SignCoreTest extends TestCase { $outputInterface ->expects($this->at(0)) ->method('writeln') - ->with('--privateKey and --certificate are required.'); + ->with('--privateKey, --certificate and --path are required.'); $this->invokePrivate($this->signCore, 'execute', [$inputInterface, $outputInterface]); } @@ -105,6 +105,11 @@ class SignCoreTest extends TestCase { ->method('getOption') ->with('certificate') ->will($this->returnValue('certificate')); + $inputInterface + ->expects($this->at(2)) + ->method('getOption') + ->with('path') + ->will($this->returnValue('certificate')); $this->fileAccessHelper ->expects($this->at(0)) @@ -134,6 +139,11 @@ class SignCoreTest extends TestCase { ->method('getOption') ->with('certificate') ->will($this->returnValue('certificate')); + $inputInterface + ->expects($this->at(2)) + ->method('getOption') + ->with('path') + ->will($this->returnValue('certificate')); $this->fileAccessHelper ->expects($this->at(0)) @@ -168,6 +178,11 @@ class SignCoreTest extends TestCase { ->method('getOption') ->with('certificate') ->will($this->returnValue('certificate')); + $inputInterface + ->expects($this->at(2)) + ->method('getOption') + ->with('path') + ->will($this->returnValue('certificate')); $this->fileAccessHelper ->expects($this->at(0)) diff --git a/tests/lib/integritycheck/checkertest.php b/tests/lib/integritycheck/checkertest.php index dec3ea84a64..fac60b0c123 100644 --- a/tests/lib/integritycheck/checkertest.php +++ b/tests/lib/integritycheck/checkertest.php @@ -465,7 +465,7 @@ class CheckerTest extends TestCase { $rsa->loadKey($rsaPrivateKey); $x509 = new X509(); $x509->loadX509($keyBundle); - $this->checker->writeCoreSignature($x509, $rsa); + $this->checker->writeCoreSignature($x509, $rsa, \OC::$SERVERROOT . '/tests/data/integritycheck/app/'); } public function testWriteCoreSignatureWithUnmodifiedHtaccess() { @@ -495,7 +495,7 @@ class CheckerTest extends TestCase { $rsa->loadKey($rsaPrivateKey); $x509 = new X509(); $x509->loadX509($keyBundle); - $this->checker->writeCoreSignature($x509, $rsa); + $this->checker->writeCoreSignature($x509, $rsa, \OC::$SERVERROOT . '/tests/data/integritycheck/htaccessUnmodified/'); } public function testWriteCoreSignatureWithInvalidModifiedHtaccess() { @@ -506,10 +506,6 @@ class CheckerTest extends TestCase { "signature": "qpDddYGgAKNR3TszOgjPXRphUl2P9Ym5OQaetltocgZASGDkOun5D64+1D0QJRKb4SG2+48muxGOHyL2Ngos4NUrrSR+SIkywZacay82YQBCEdr7\/4MjW1WHRPjvboLwEJwViw0EdAjsWRpD68aPnzUGrGsy2BsCo06P5iwjk9cXcHxdjC9R39npvoC3QNvQ2jmNIbh1Lc4U97dbb+CsXEQCLU1OSa9p3q6cEFV98Easwt7uF\/DzHK+CbeZlxVZ0DwLh2\/ylT1PyGou8QC1b3vKAnPjLWMO+UsCPpCKhk3C5pV+5etQ8puGd+0x2t5tEU+qXxLzek91zWNC+rqgC\/WlqLKbwPb\/BCHs4zLGV55Q2fEQmT21x0KCUELdPs4dBnYP4Ox5tEDugtJujWFzOHzoY6gGa\/BY\/78pSZXmq9o8dWkBEtioWWvaNZ1rM0ddE83GBlBTgjigi9Ay1D++bUW\/FCBB7CMk6qyNlV81H+cBuIEODw2aymmkM9LLDD2Qbmvo8gHEPRjiQxPC5OpDlcdSNiL+zcxVxeuX4FpT+9xzz\/\/DRONhufxRpsbuCOMxd96RW7y9U2N2Uxb3Bzn\/BIqEayUUsdgZjfaGcXXYKR+chu\/LOwNYN6RlnLsgqL\/dhGKwlRVKXw1RA2\/af\/CpqyR7uVP6al1YJo\/YJ+5XJ6zE=", "certificate": "-----BEGIN CERTIFICATE-----\r\nMIIEvjCCAqagAwIBAgIUc\/0FxYrsgSs9rDxp03EJmbjN0NwwDQYJKoZIhvcNAQEF\r\nBQAwIzEhMB8GA1UECgwYb3duQ2xvdWQgQ29kZSBTaWduaW5nIENBMB4XDTE1MTEw\r\nMzIxMDMzM1oXDTE2MTEwMzIxMDMzM1owDzENMAsGA1UEAwwEY29yZTCCAiIwDQYJ\r\nKoZIhvcNAQEBBQADggIPADCCAgoCggIBALb6EgHpkAqZbO5vRO8XSh7G7XGWHw5s\r\niOf4RwPXR6SE9bWZEm\/b72SfWk\/\/J6AbrD8WiOzBuT\/ODy6k5T1arEdHO+Pux0W1\r\nMxYJJI4kH74KKgMpC0SB0Rt+8WrMqV1r3hhJ46df6Xr\/xolP3oD+eLbShPcblhdS\r\nVtkZEkoev8Sh6L2wDCeHDyPxzvj1w2dTdGVO9Kztn0xIlyfEBakqvBWtcxyi3Ln0\r\nklnxlMx3tPDUE4kqvpia9qNiB1AN2PV93eNr5\/2riAzIssMFSCarWCx0AKYb54+d\r\nxLpcYFyqPJ0ydBCkF78DD45RCZet6PNYkdzgbqlUWEGGomkuDoJbBg4wzgzO0D77\r\nH87KFhYW8tKFFvF1V3AHl\/sFQ9tDHaxM9Y0pZ2jPp\/ccdiqnmdkBxBDqsiRvHvVB\r\nCn6qpb4vWGFC7vHOBfYspmEL1zLlKXZv3ezMZEZw7O9ZvUP3VO\/wAtd2vUW8UFiq\r\ns2v1QnNLN6jNh51obcwmrBvWhJy9vQIdtIjQbDxqWTHh1zUSrw9wrlklCBZ\/zrM0\r\ni8nfCFwTxWRxp3H9KoECzO\/zS5R5KIS7s3\/wq\/w9T2Ie4rcecgXwDizwnn0C\/aKc\r\nbDIjujpL1s9HO05pcD\/V3wKcPZ1izymBkmMyIbL52iRVN5FTVHeZdXPpFuq+CTQJ\r\nQ238lC+A\/KOVAgMBAAEwDQYJKoZIhvcNAQEFBQADggIBAGoKTnh8RfJV4sQItVC2\r\nAvfJagkrIqZ3iiQTUBQGTKBsTnAqE1H7QgUSV9vSd+8rgvHkyZsRjmtyR1e3A6Ji\r\noNCXUbExC\/0iCPUqdHZIVb+Lc\/vWuv4ByFMybGPydgtLoEUX2ZrKFWmcgZFDUSRd\r\n9Uj26vtUhCC4bU4jgu6hIrR9IuxOBLQUxGTRZyAcXvj7obqRAEZwFAKQgFpfpqTb\r\nH+kjcbZSaAlLVSF7vBc1syyI8RGYbqpwvtREqJtl5IEIwe6huEqJ3zPnlP2th\/55\r\ncf3Fovj6JJgbb9XFxrdnsOsDOu\/tpnaRWlvv5ib4+SzG5wWFT5UUEo4Wg2STQiiX\r\nuVSRQxK1LE1yg84bs3NZk9FSQh4B8vZVuRr5FaJsZZkwlFlhRO\/\/+TJtXRbyNgsf\r\noMRZGi8DLGU2SGEAHcRH\/QZHq\/XDUWVzdxrSBYcy7GSpT7UDVzGv1rEJUrn5veP1\r\n0KmauAqtiIaYRm4f6YBsn0INcZxzIPZ0p8qFtVZBPeHhvQtvOt0iXI\/XUxEWOa2F\r\nK2EqhErgMK\/N07U1JJJay5tYZRtvkGq46oP\/5kQG8hYST0MDK6VihJoPpvCmAm4E\r\npEYKQ96x6A4EH9Y9mZlYozH\/eqmxPbTK8n89\/p7Ydun4rI+B2iiLnY8REWWy6+UQ\r\nV204fGUkJqW5CrKy3P3XvY9X\r\n-----END CERTIFICATE-----" }'; - $this->environmentHelper - ->expects($this->any()) - ->method('getServerRoot') - ->will($this->returnValue(\OC::$SERVERROOT . '/tests/data/integritycheck/htaccessWithInvalidModifiedContent/')); $this->fileAccessHelper ->expects($this->once()) ->method('file_put_contents') @@ -524,7 +520,7 @@ class CheckerTest extends TestCase { $rsa->loadKey($rsaPrivateKey); $x509 = new X509(); $x509->loadX509($keyBundle); - $this->checker->writeCoreSignature($x509, $rsa); + $this->checker->writeCoreSignature($x509, $rsa, \OC::$SERVERROOT . '/tests/data/integritycheck/htaccessWithInvalidModifiedContent/'); } public function testWriteCoreSignatureWithValidModifiedHtaccess() { @@ -554,7 +550,7 @@ class CheckerTest extends TestCase { $rsa->loadKey($rsaPrivateKey); $x509 = new X509(); $x509->loadX509($keyBundle); - $this->checker->writeCoreSignature($x509, $rsa); + $this->checker->writeCoreSignature($x509, $rsa, \OC::$SERVERROOT . '/tests/data/integritycheck/htaccessWithValidModifiedContent'); } public function testVerifyCoreSignatureWithoutSignatureData() { From eee6d1f41b654b7aa27b91c6edc9c59436940208 Mon Sep 17 00:00:00 2001 From: Lukas Reschke Date: Wed, 3 Feb 2016 19:57:39 +0100 Subject: [PATCH 3/4] Also check daily and testing channel --- lib/private/integritycheck/checker.php | 2 ++ 1 file changed, 2 insertions(+) diff --git a/lib/private/integritycheck/checker.php b/lib/private/integritycheck/checker.php index 352b18f672e..e6f9f9a1457 100644 --- a/lib/private/integritycheck/checker.php +++ b/lib/private/integritycheck/checker.php @@ -90,6 +90,8 @@ class Checker { // FIXME: Once the signing server is instructed to sign daily, beta and // RCs as well these need to be included also. $signedChannels = [ + 'daily', + 'testing', 'stable', ]; if(!in_array($this->environmentHelper->getChannel(), $signedChannels, true)) { From 4db563850535bf3c4b212bd1804bf1ab4cd01b64 Mon Sep 17 00:00:00 2001 From: Lukas Reschke Date: Wed, 3 Feb 2016 21:38:13 +0100 Subject: [PATCH 4/4] Add proper line ending --- resources/codesigning/core.crt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/resources/codesigning/core.crt b/resources/codesigning/core.crt index 556161f93ea..62f87c9d30c 100644 --- a/resources/codesigning/core.crt +++ b/resources/codesigning/core.crt @@ -21,4 +21,4 @@ IEP9JGtkhB2du6nBF2MNAq2TqRXpcfQrQEbnQ13aV9bl+roTwwO+SOWK/wgvdOMI STQ0Xk0sTGlmQjPYPkibVceaWMR3sX4cNt5c33YhJys5jxHoAh42km4nN9tfykR5 crl5lBlKjXh2GP0+omSO3x1jX4+iQPCW2TWoyKkUdLu/hGHG2w8RrTeme+kATECH YSu356M= ------END CERTIFICATE---- \ No newline at end of file +-----END CERTIFICATE-----