What is the ‘’sha512‘’ algorithm of signatureDigest in apps.json?

berlin2 · December 30, 2021, 8:25am

I want to mirror the https://apps.nextcloud.com/api/v1/apps.json to my sever, as the same purpose as the topic , thus need to check if the mirrored file is correct.

I can find the “signature” value and “signatureDigest”. It is like this：

[user@localhosts ]$ cat apps.json | jq '.[] | select (.id == "spreed") | .releases[0]'
{
  "version": "9.0.9",
  "phpExtensions": [],
  "databases": [],
  "shellCommands": [],
  "phpVersionSpec": "*",
  "platformVersionSpec": ">=19.0.0 <20.0.0",
  "minIntSize": 32,
  "download": "https://github.com/nextcloud/spreed/releases/download/v9.0.9/spreed-9.0.9.tar.gz",
  "created": "2021-02-22T09:48:45.108892Z",
  "licenses": [
    "agpl"
  ],
  "lastModified": "2021-02-22T09:48:46.243527Z",
  "isNightly": false,
  "rawPhpVersionSpec": "*",
  "rawPlatformVersionSpec": ">=19 <=19",
  "signature": "FmMUjC/TLhHzpnALtXqo+DKVneHvvM1e8RmGMWQXTzm0GRk+PqLl3No0XQ+p/aAr\n6U8/Pp19xuoUk5DVR0d9XLrt26QWHOVgD8P8ldiWZCVq59xooaEjMeogvkd6osSX\nK7yf/kHUKjzQo76/LAK861ko/qlFuzAdNWp/0nd5HPhvdsDAFBJiYo26Nn9Sm4P2\nHYIkP4O+PuoDczfsw0hBxS7IVAARttNKas/aTYeVoIYRFn50LZHm5jiKjgvztWSx\nj6IUC+yRkJRkVVQK6fMH7gyDVEKOyR58EPc83UptZhWuSkYbtagSQqO9M6A/b8EV\nqgROSWfaXcfJ2IUv2+E6zBDKRfu06dMTeSg968Jyc8E5eZJuKXzVy5f9lt/NkjwG\npiel8AsUCKqNrmkxZV7wCi8NNMogisvyTQl+wiwN3XgB+ITk2TPNbXPBF4Khf5xJ\n67mS0bcXxJd9hlUBYYgVmyqXRsGC6EpUZC7mTJw5T3vuNpr4fJQ886lB11gh632M\nRw6rlQER5uSGtaCQht/wwTkIkL50LKnCTiuhMzKSr5U7sgrfqMxezK/jOVbTbrey\nY8mwUeWBKK3Yh+uHZ833xrUQNs925Z6O2ClKQLPFeEQXGofZztYMoVCE8PqNXDKH\nvRkKqF1iB7Kti37sh7egDRDjZT6rAACULF1yTrr9yCQ=",
  "translations": {
    "en": {
      "changelog": "### Fixed\n- Fix collaboration resource options not loading\n  [#5143](https://github.com/nextcloud/spreed/pull/5143)\n- Fixed a bug that would prevent attachments going into the Talk/ folder\n  [#5080](https://github.com/nextcloud/spreed/pull/5080)"
    }
  },
  "signatureDigest": "sha512"
}

It shows the algorithm is sha512.

However, the output of sha512sum is:

[user@localhosts ]$  sha512sum spreed-9.0.9.tar.gz 
0bd11b79a085402b25837bcb7784362aa3ea9f7e30cfa5599347a9f7093d825e902a12a0a23c07df62109edf529f6074e6ddca0135e1f9d3ec06fdfe4dd3efa9  spreed-9.0.9.tar.gz

which are different with the “signature” in apps.json.

Then, how to calculate out the “signature” of the downloaded “*tar.gz” file?

tflidd · December 30, 2021, 9:55am

A signature uses a certificate and with the public key, you can verify if the file is the one the person who signed it, wanted to send you. You need to checkout around the app-store (developer documentation, apps store github, etc.) how the apps are signed (if that is a certificate from Nextcloud or individually the developer’s one).

https://docs.nextcloud.com/server/latest/developer_manual/app_publishing_maintenance/code_signing.html
Nextcloud’s key: https://nextcloud.com/security/

berlin2 · December 30, 2021, 11:03am

Hi tflidd, Thanks a lot.

To use the nextcloud official verify code in *.php files may be the best solution.

However, I am not familiar with php.
It seems that I have to find other ways to verify the downloaded “tar.gz” files.