How to verify integrity of nextcloud'apps

I have downloaded the latest version of custom menu 3.7.2 apps but i do not find any MD5 or SHA256 value to check the integrity ot the tar.gz downloaded.

We have the certificate and signature that can be check with occ but before tu put this app on our server, nothing is available.

is that normal ?

Thank you for your anwsers

There is hash information for the files in apps that are signed. You can find more information about the code signing of apps here, hopefully it helps a bit: Code signing — Nextcloud latest Developer Manual latest documentation

I see this link but i need to ckeck what i download without using the occ command here : Using the occ command — Nextcloud latest Administration Manual latest documentation

here, a tar.gz file that can contain the apps or something else.

My point was that you can perhaps make use of the signature.json file, which according to the documentation I linked you to contains “hashes [which] is an array of all files in the folder with their corresponding SHA-512 hashes”. Wouldn’t that be sufficient to verify that the files have the hashes they should have?

I suppose i don’t not understand very well :slight_smile:

In this file side_menu_v3.7.2.tar.gz downloaded from this page :

I do not find any file signature.json in the appinfo folder. if the app is signed, i can read this in the documentation :" The occ tool will store a signature.json file within the appinfo folder of your application. Then compress the application folder and upload it to"

In this case, i do not see the signature.json and even if i saw him : the only way to check the integrity of the downloaded file is the occ command line and not a simply checksum. the developper has it forgot to put the file signature.json before put her on the store app ?

I suppose i must create the signature.json file with an notepad editor et put the hash of few files in the hash table, as well as put the certificate and the signature available from the page of the app. then launch an occ command line to check the integrity of listed files.

I would have prefer an md5 checksum of the tar.gz file in a first time

You can retrieve the source URL of your download here: (side_menu_v3.7.2.tar.gz). The signature is in side_menu_v3.7.2.sig.
The public certificate is accessible from app-certificate-requests/side_menu at master · nextcloud/app-certificate-requests · GitHub.