Hallo, my name is Wolfgang and iâve created an app.
Yesterday i got my app successfully certificated and now i tried to publish it in nextcloud app store via web interface, but there is the error
I also tried signature and certificate from my signature.json with no success.
Iâve also tried the REST Api with the same error and found no solution.
I am thankful for any hint.
Did you actually replace APP_ID with your appâs id here?
If that does not help, you can manually check the app id.
Please do not paste here the signature as requested by echo -n "APP_ID" | openssl dgst -sha512 -sign ~/.nextcloud/certificates/APP_ID.key | openssl base64 or typed into the form (this is confidential). However, can you paste the app id (like cookbook in my case) to simplify discussions?
My development environment is a docker nextcloud. Before i created the csr i copied my app folder to bak_logcleaner and deleted in the original logcleaner all unwanted and unneeded files. Then there was a strange behaviour. The command within the logcleaner folder
stored the csr and key file within the bak_logcleaner folder. Maybe here is my mistake and the generated files are not for the logcleaner but for the bak_logcleaner with the wrong files amount.
The openssl req [...] -out foo command will create a file foo in the current working directory. The CSR you create with the command is for the app with the id logcleaner (from -subj /CN=logcleaner).
However, why do you regenerate a CSR? You published already one a week ago and got the corresponding certificate from the PKI OPs. Is the certificate to be revoked due to key disclosure?
I have a wild guess what happened. Did you create a CSR, filed this and then recreated a new CSR (with a new key file) using openssl req -new? If yes, do you by chance have a copy of the original key file?
If this guess was wrong, we can locally check the signature to see if it is created correctly. (Hint for myself: [1] [2])
FYI: There is a tutorial at readthedocs. Did you follow that one? Just for information. Please do not plainly execute new commands especially regarding the certificates as this might overwrite data.
yes, but it was stored into bak_logcleaner. I donât know why.
my steps from above were before i sent the pull request. i followed these steps: How to get your app signed to generate csr and private key and posted the csr as pull request.
the crt, csr and key i moved into a new folder /Users/example to run the command
setting the folder from above and changing contacts to logcleaner and that generates signature.json file within the appinfo folder.
do you think itâll be the best to delete all generated files and begin procedure from step 0 and send a new pull request? maybe this is the quickest way
Well, I suspect you were in that folder (intentionally or not).
Well this is about code signing. This is a file that the NC server on the usersâ instances will look at if something in the installation process was broken. This is not about the app store (except that the same keys are used for code signing and app store authentication).
OK, then these files are the important ones. No other certificate CSR or key do matter.
I would first create the logcleaner app in the app store. Then you claimed the app name. Uploading can be done later. So, letâs focus on this.
The certificate is the file /Users/example/<name of certificate>.crt (according to your claims). You upload its content in the first field of the app store. The token challenge (second field) is then
This can be done as long as the app is not published yet. Otherwise it is a hell of work (I had to do this once) as all releases get invalidated. So, best is to keep your stuff in a safe place! (Trust me in this )
I took a look into the signature.json and compared âcertificateâ, what is the same content as my crt file, but âsignatureâ is different to my echo output.
Additionally, you could verify the signature you created. First, you have to extract the public key by means of the following (replace /tmp/nc.pub.pem by any path you like):
Either you somehow messed with the various files and are not able to see clearly anymore (at least I am typically at some point of debugging no longer able to do stuff correctly). Then, you might have combined wrong CSR/key/CERT files. Can happen but yeah, you said you double checked it.
Then, there could be some isse with the openssl library in some way. You could replace it easily when you have docker available. Then any ubuntu or whatever image should be able to install openssl. There is a good chance you get another version.
I tried to do the steps above with the cookbook keys and this worked as I expect it:
# Do I have the latest version of the certificate here?
$ diff -s <(openssl x509 -noout -modulus -in .nextcloud/certificates/cookbook/cookbook.crt ) <(openssl rsa -noout -modulus < .nextcloud/certificates/cookbook/cookbook.key )
Dateien /dev/fd/63 und /dev/fd/62 sind identisch.
# Extract public key in /tmp/nc.pub.pem
$ openssl x509 -noout -pubkey < .nextcloud/certificates/cookbook/cookbook.crt > /tmp/nc.pub.pem
# Create a dummy signature
$ echo -n abc | openssl dgst -sha512 -sign .nextcloud/certificates/cookbook/cookbook.key | openssl base64
duPuU2rAqlXa7hGtB8zxjMKkRo9kSnZRFtetX9dIWODucp5bEFgty2xKRHGNrylD
b3dC8yzeWCHpeIlpNlW8H3UDHOFgIBhdiF1FvOD0EFabMSxoBZ2dctfbzHeu6bGl
+XIXLm43zad7J/H6lV9NesK6HwJUQoBVZ66g7E3nxj/Ui8jveqYzzDj2WJiosXhP
TMLKPcpQqdZlnJPOFDxnyzJt3vzHEE4ptQJHQNn1MZzGT4bUYyrldE8YJ6KLnTzD
WrXbnqwlksf1N+ghZ/A8D33/jwFpzbY4Yd0Mytii7PGObjMd9JvXuxrthLKbu+5k
69iYRbXuGeT2tkiNUvJiC6obgX5XdgFzNMTZ1vpFA7DfKKPjeNGCjgnAwugYiEda
+fBTYOQL+zOtBYrWNwbmyRKseuHlTCMMumPhTp4eUlZ4crr5IdCAKhJzKPqmx6t1
yCtx8VtQV0Dsj/T+4R/HMYAwTWWmodWP3e9042z9ubL/gHMXPRvz6kmhNQOWLhS0
LmFjVzLRvYhlFSsw6a71QcI9rJ607dgqxiygMKxY1Tn6uhIRNqLEmQPPP+WwmWYf
wTyj2rvS0CV3dtmb64gT5XttKIP0Ym/MhJJVcR2OTQ8blEgWiXApSD+fZtfb79tw
Tx21fCkLoT7jKO0XmHbohzoY+yB0pSlVriC5jLh2Um0=
$ echo -n abc | openssl dgst -sha512 -sign .nextcloud/certificates/cookbook/cookbook.key > /tmp/nc.sign
# Test a valid signature
$ echo -n abc | openssl dgst -sha512 -verify /tmp/nc.pub.pem -signature /tmp/nc.sign
Verified OK
# Test a failing signature
$ echo -n ac | openssl dgst -sha512 -verify /tmp/nc.pub.pem -signature /tmp/nc.sign
Verification failure
804B38AEE6700000:error:02000068:rsa routines:ossl_rsa_verify:bad signature:crypto/rsa/rsa_sign.c:442:
804B38AEE6700000:error:1C880004:Provider routines:rsa_verify_directly:RSA lib:providers/implementations/signature/rsa_sig.c:1041:
$ openssl version
OpenSSL 3.4.0 22 Oct 2024 (Library: OpenSSL 3.4.0 22 Oct 2024)
So, long story short: I do not see the roor in your setup. Maybe you try again after a good night of sleep. Eventually test another openssl version. You can try to verify the signature I created if you want (then you know that the openssl works in general). But I am as I said out of (good) ideas.
checksum csr and key matched, but crt was different. So it was clear, what you suspected was right - i used wrong csr and key all the time.
I found the right csr and key files on my system, generated new /tmp/nc.pub.pem and /tmp/nc.sign and the command echo -n logcleaner | openssl dgst -sha512 -verify /tmp/nc.pub.pem -signature /tmp/nc.sign resulted into Verified OK - JIHAA
Now, do me a favor and store all valid files in a consistent location permanently (!) and get rid of all invalid files. You got me crazy yesterday . I honestly started to mistrust myself.
)
!
. I honestly started to mistrust myself.