Univention Bugzilla – Bug 39671
Invalid signature files are removed but the App is still valid
Last modified: 2019-01-03 07:18:37 CET
As described in Bug #39194, if a script was modified, only the script is removed. The Admin should not be able to install those Apps. +++ This bug was initially created as a clone of Bug #39194 +++ (In reply to Stefan Gohmann from comment #5) > I've added a first test script: 80_docker/59_app_center_signature > > It tests various modification: > - no pgp file available > - the index.json was modified > - the ini file was modified > > These tests were successful. I've also modified an inst script. While > modifying the ini file, the App was no longer available because the hash was > not valid. I think that's right. > The App was still available after the inst file was modified: > Checksum for owncloud8-docker_20150917.inst should be > u'68512ce46f443653d18f6d14b9b67325' but was > '91ca715e08842f6a44840c77729c8df1'! Rather removing this file... > > I think the App should also be no longer available in this scenario.
Depending on the script, this could indeed be very bad.
This issue has been filled against UCS 4.1. The maintenance with bug and security fixes for UCS 4.1 has ended on 5st of April 2018. Customers still on UCS 4.1 are encouraged to update to UCS 4.3. Please contact your partner or Univention for any questions. If this issue still occurs in newer UCS versions, please use "Clone this bug" or simply reopen the issue. In this case please provide detailed information on how this issue is affecting you.