Nextcloud and integrity:sign-app

Hello all,
I just read the new docus for the new app-store and i am happy to see that OC and NC releases have to be done differently now ;-(
E.g. Separate CRTs due to different key strength

But what about app signing?
For owncloud I had to sign the app via integrity:sign-app to create a signature file in appinfo/

This is not mentioned in the NC-Docu.
Is this still required?

You can do both but it’s not required.

The integrity:sign-app command uses PHPseclib (take a look at the codebase!!) which has a bug when dealing with 4096 bit signatures. Therefore I’d refrain from doing that :wink:

Apart from that it was harder to validate and generate the signature so I decided to just go for signing the archive which can also be done using standard tools.

TL;DR: don’t use integrity:sign-app until Nextcloud ditches phpseclib for openssl or something different

ok,
so for the OC-Archive (.zip) I sign the app itself with a signature.json and the OC key
for the NC-Archive (tar.gz) I only sign the submission into the app store.

sounds managable; all done in one bash script…

thank you for your feedback

Yep, should be fine and the idea is indeed to script it :slight_smile: