Univention Bugzilla – Bug 39591
Verify digital signatures of appcenter files
Last modified: 2016-09-21 18:10:17 CEST
When downloading files from the app center, the file hashes need to be verified against the signed index.json (Bug #39590). +++ This bug was initially created as a clone of Bug #39194 +++ The Docker images and all used scripts are cryptographically signed, for example the pre-installation script. The signature is verified during the installation. If the signature is invalid, an error message is shown and the installation is aborted.
We will also include the SHA256 hash of the image manifest in the signed index.json. To verify that we will need to implement an equivalent of this command in appcenter-docker: curl -X GET https://ucs:readonly@docker.software-univention.de/v2/ucs-appbox-amd64/manifests/4.1-0 | sha256sum
* For apps referencing a DockerImage the index.json now contains the sha256 hash of the DockerImage Manifest in the key "DockerImageManifestV2S1". It also lists the URL where this Manifest can be downloaded * The index.jason.gz is now signed * univention-appcenter checks the signature unless appcenter/index/verify=false * The index.json.gz + .gpg are now cached locally. Maybe this comes handy at some later point in the future, where one could just fetch the .gpg and if the signature ist still fine, then the index.json.gz doesn't need to be downloaded again. * When downloading the Docker Image, the Manifest hash is compared against the hash documented in the signed index.json. * Until now I didn't find out, where Docker Registry v2 (aka "Distribution") holds it's private crypto key, which it uses to put a JWS / JOSE signatures into the Docker Image Manifest. Restarting the registry doesn't change the Manifest, so I currently assume that the Manifest hashes will remain constant. Changelog adjusted. Note: Currently the notification traceback is a bit ugly, in case the signature verification fails for the index.json. I asked an expert for advice, so this may still improve.
OK, it works. Some tests are checked in 80_docker/59_app_center_signature.
UCS 4.1 has been released: https://docs.software-univention.de/release-notes-4.1-0-en.html https://docs.software-univention.de/release-notes-4.1-0-de.html If this error occurs again, please use "Clone This Bug".