ownCloud provides a safe home for all your data. To improve the security and safety of the server, ownCloud 9.0 introduces Code Signing and Verification. This ensures that all the files of an ownCloud installation are in place unmodified since their release by the ownCloud project.
Together with Softpedia we have already published information about this last week and in this blog post we will go a little deeper into this feature.
What is Code Signing?
Code signing is widely used in the industry to ensure the integrity of a body of software. Signing is performed by generating a cryptographically signed checksum over the content of the files. This checksum is verified before executing the code or before or after certain operations such as upgrading or installation. When changes are detected, ownCloud warns the administrator this installation is not running as expected, which might be due to a problem with the installation, upgrade or data loss.
Note that Code Signing does not preclude making changes to your ownCloud installation; it merely warns the administrator that changes were made, so she can investigate.
There are two major reasons why Code Signing was introduced to ownCloud:
- 1. To make upgrades more reliable
- 2. To improve security
More reliable upgrading
Some of the problems users may encounter after or during an ownCloud upgrade are caused by new versions being uploaded incorrectly, lingering old files, or other issues with the integrity of the installation. Such cases are very hard to debug for us and are usually very frustrating for administrators as well as for the ownCloud developers why try to help them.
As part of our ongoing work to make the process of updating ownCloud instances smoother and more reliable we have decided to introduce functionality to ensure no broken or left-over files interfe with the upgrade process.
With Code Signing we can detect whether the ownCloud installation is complete and that no files are missing, damaged or left from earlier installations. If a problem is found and reported, the administrator can deal with it rather than having to resort to a painful and laborious debugging process trying to find out what is wrong.
More secure app delivery
A major way in which ownCloud is ‘modified’ by administrators is by installing ownCloud apps. While ownCloud contains security measures against misbehaving apps, the nature of our technology stack precludes us from fully ‘sandboxing’ them. Cryptographically signing apps and verifying those signatures upon installation and execution enables ownCloud to warn administrators for potentially malicious changes made to apps by anyone other than their original author.
Once an application has been signed, all future updates are required to be signed as well. Furthermore, for all apps marked as “Official” Code Signing is enforced.
This makes it possible for you to ensure that nobody else except the app author (or ownCloud) has issued an update for an application. This measure makes even active MITM attacks with valid SSL certificates infeasible. Even in a worst case scenario with a hacked application store it is not possible to fake the signature, as we do not store sensitive key material on this machine and the keys are only accessible to a very small number of people.
How does Code Signing affect me?
While as a regular administrator you’d ideally never have to deal with Code Signing because everything is handled automatically by ownCloud, developers and some administrators will want to know what is in store for them.
Now, as an ownCloud App developer you can easily sign your application with the OCC tools as described in the manual.
Signing is optional for all apps not rated as official, but we recommend you to start signing your releases to give your users the benefit of improved security.
Note, however that once your application is signed it is no longer possible to store configurations or other data inside the application folders. Use the
IConfig functionality to store your configuration values in a standard and supported way.
Releases are signed at packaging time. Signing is disabled for Git checkouts so there is no action required for core developers.
End-users won’t notice any difference with the Code Signing, as even in case of an invalid signature, ownCloud will still run.
If the signature check fails a notification is permanently added for admin users pointing to the failed check. The warning can mean a broken or compromised ownCloud installation so our suggestion is to deal with it swiftly! More information on what the warnings mean and how to deal with them can be found in our documentation.
Please note that it will no longer be possible to store your backups or other data inside the ownCloud folder as that generates errors by the Code Signing functionality. Make sure to store all backups and other data within a folder outside of the application code. The
data as well as the
config folder are exempted by the signature check and you can store your data there.
With the introduction of Code Signing we expect to improve the reliability of ownCloud upgrades even in case of broken uploads or extraction issues while simultaneously fortifying the security and safety of ownCloud installations. No safer home for your data than ownCloud!