Hello all,
I just read the new docus for the new app-store and i am happy to see that OC and NC releases have to be done differently now ;-(
E.g. Separate CRTs due to different key strength
But what about app signing?
For owncloud I had to sign the app via integrity:sign-app to create a signature file in appinfo/
This is not mentioned in the NC-Docu.
Is this still required?
The integrity:sign-app command uses PHPseclib (take a look at the codebase!!) which has a bug when dealing with 4096 bit signatures. Therefore I’d refrain from doing that
Apart from that it was harder to validate and generate the signature so I decided to just go for signing the archive which can also be done using standard tools.
ok,
so for the OC-Archive (.zip) I sign the app itself with a signature.json and the OC key
for the NC-Archive (tar.gz) I only sign the submission into the app store.