[Request] Build Mac OS X client with Qt 5.9 LTS

[yunlhan]

Hello,

Current Mac OS X client Nextcloud-2.3.2.1.pkg posted on

https://download.nextcloud.com/desktop/releases/Mac/Installer/

fails connection to TLS v1.2 only Nextcloud server. This is a long standing issue.

A month ago, I successfully built a client for personal use that solved the issue except I could not sign it correctly. See my question about codesign here in issue #13. See the same question on help.nextcloud forum. My building process was documented here.

Besides my codesign problem, I followed this post to chmod 777 Sparkle.Framework folder in Library/Frameworks in order to have a working build. I wonder why this works?

As per my email exchanges with @mario , I am opening this NEW issue and he wants to push for the solution to this problem as soon as possible. Also can you guys include detailed documentation for ./osx/build.sh script?

Thanks, Yün

[Tsuroerusu]

I would like to strongly second @yunlhan 's request. I was completely astonished to find out just now that the Nextcloud client for OS X does not support something as ESSENTIAL as TLS v1.2. How is this not a super-critical thing to fix? TLS v1.1 is actively being deprecated, and TLS v1.0 was recognized as broken a long time ago to the degree that browsers now throw a fit if they see it anywhere. Most security practices would recommend disabling these older protocols. Without intending to be insulting the fact that this has not been solved a year ago when it was first reported is a total disaster. The very point of Nextcloud is strong security and privacy, but that is not helped, to say the least, by the officially-branded client only supporting completely antiquated security protocols. Again, I hope nobody feels insulted by my remarks, I just felt it needed to be said how critical this actually is.

[anatomism]

I have to agree - this is an absolute farce. Its a long standing issue and may have been acceptable in 2010, but not in 2017. You managed to "fix" the issue in 2.3.0 RC1, but then "broke" it again in all subsequent releases. To highly publicise that you are a secure solution but leave users vulnerable to SSL attacks by forcing them to use TLS v1.0 is backward.

[derkostka]

+1 for the mentioned issue. I switched to the owncloud client as the "themed" version is not working with my server anymore. Please support with a new release.

[hodyroff]

JFYI - ownCloud Desktop Client will stay with QT 5.6.2 till 2.5.0. - where 5.9+ with https/2 support will be introduced. TLS 1.2 works of course perfectly. You are welcome to help test 2.3.3 and provide feedback. Development for 2.4.0 is almost done, nice new things are upcoming as the ownCloud team proceeds with this release cycle.

[yunlhan]

Hello,

I just updated Qt on my workstation to 5.9.2 and rebuilt NC client for Mac OS X based on ownCloud 2.3.3. It can be checked out here.

The About page of the client looks like below,

Cheers, Yün

[Marcool04]

Again, I'll add my voice to the chorus of others saying this is indeed a critical bug. @yunlhan thank you for the beta, certainly helps in the mean time. I have also tested ownCloud client for mac with the latest release and that also is working fine. This has actually just become one "notch" more critical with recent update of nextcloud server which seems to now refuse connections from non TLSv1.2 clients... And devs there obviously (and rightly) aren't going to change that: https://github.com/nextcloud/server/issues/6783.

[mario]

Working on this, sorry for the delay folks.

[Marcool04]

No worries. Thanks for taking the time to drop a comment to let us know. Keep up the good work! :)

[Tsuroerusu]

@mario No worries, Mario, glad to hear that stuff is happening. Any idea or "feeling" as to when this might be resolved? The reason I ask is that at the moment, I have to explain to my customers why they have to use the ownCloud client (If they use a Mac) when the system is actually Nextcloud, and that is really confusing to many of them.

[mario]

@Tsuroerusu considering it's Wednesday night, I hope to have a build by Friday (have to build Qt on an old machine due to compatibility reasons), so maybe release early next week if @rullzer & the rest of the team approve it? :)

[mario]

(This is of course, assuming all goes well)

[yunlhan]

@mario Thank you so much. I noticed that you committed a change 20 days ago but there was not much about how to sign the app, specifically, these two lines

sudo ~/client_theming/client/admin/osx/sign_app.sh ~/install/nextcloud.app 59FA8948AEBAE3F2222AE9BC020D6DA31DF821A7 sudo ./admin/osx/create_mac.sh ../install/ . 6A588D031B2B63991A49DB9C98B4C846D6D0EAC4

I repeatedly got signing errors at the end of my build though the package is OK to use. Will you be able to doc how to use the developer identities?

Thanks, Yün

[mario]

@yunlhan not this week, but I honestly want to do it. Sorry, I'm on too many fronts :(

[mario]

@yunlhan my mail is mario@nextcloud.com - feel free to bug me forever until I do this for you :)

[Tsuroerusu]

@mario Can I bug you about something else then now that we're at it. :P Releasing version 2.3.3 of the client would resolve a big problem with chunking, which some of my users are also affected by, and I see that progress seems to be made in issue #206 , however I was wondering if you might be able to expedite this a bit via your own efforts with the Mac client as this chunking issue affects all OSes.

[yunlhan]

@mario Thank you. I bookmarked your email address. You can hide it if you need to protect it from spam.

[derkostka]

Thanks Mario!

[mario]

@yunlhan still WIP, but documents the magic strings used for signing :)

https://github.com/nextcloud/client_theming/pull/211/files

[mario]

@Tsuroerusu I'm working on 2.3.3, yes :)

[yunlhan]

@mario Thank you so much!!!! I will update you once I try the new osx/build.sh sometime later this week.

[jospoortvliet]

Please help test 2.3.3 on https://download.nextcloud.com/desktop/prereleases/ and give feedback!

[yunlhan]

Thank you Nextcloud!!! @mario

[gbiggs]

I was having the same issue on 2.2.something and 2.3.2.1. I had a look at the tcpdump and the client was requesting TLS 1.0 in its ClientHello, then not following up with something better when the server refused that. (Although that's the opposite of what clients usually do, which is try for the best and then make new ClientHello requests with relaxed requirements if that fails.)

Installing the 2.3.3 beta posted by @jospoortvliet fixed the problem. No more SSL errors and the client is happily syncing.

[yunlhan]

Hello, I just recompiled Qt 5.9.2 against the latest openssl 1.0.1m and bumped up the upstream ownCloud to v2.3.4 which was released days ago.

[Tsuroerusu]

@mario Are there any updates on how the pre-release phase is going? Any rough estimates as to when 2.3.3 with the fixes for the TLS and syncing issues will be pushed out?

[pgassmann]

I just helped a user set up nextcloud client on osx. It would be impossible for a standard user to set up nextcloud client on OS X. first this error because I have secure cipher settings. Then I searched and found this bug. (Why Closed?) downloaded the prerelease.

@jospoortvliet In the new version it seems that the login is only possible with an App password. The Link provided in the setup wizard leads to the settings page and not directly to the app password setting. For a non-techie user it is absolutely not clear how this should work.

[Tsuroerusu]

I see that the Windows and Linux versions of the v2.3.3 update has been issued and are available from the website. However, the Mac version is not available yet. Does anybody know when that might be out? And what is holding it up at the moment?

[rullzer]

Should be soon. We just need some time on our OSX build machine with people that actually know OSX building ;)

[jospoortvliet]

2.3.3 is on our download server, website deployment is done and the link on our download page should give you the latest version in at most 30 minutes ;-)