[QA] owncloud apps qnap and theme-qnap are not signed, and other admin warnings

[jnweiger]

Seen with ownCloud for QNAP 10.8.0 RC1 from ownCloud_10.8.0_arm-x41.qpkg

The code integrity checker complains:

Results
=======
- qnap
    - EXCEPTION
        - OC\IntegrityCheck\Exceptions\MissingSignatureException
        - Signature data not found.
- theme-qnap
    - EXCEPTION
        - OC\IntegrityCheck\Exceptions\MissingSignatureException
        - Signature data not found.

[jnweiger]

Retested with https://github.com/owncloud/qnap-packaging/releases/download/v10.8.0.0-rc3/ownCloud_10.8.0.0-r_x86_64.qpkg

• The not signed warnings go away when the admin clicks re-scan. Not sure why that is. Do we hve an ignore setting somewhere? The qnap app itseld is definitly not signed. OKAYISH.
• Additional warnings visible in the admin interface are

[jnweiger]

@wkloucek can we fix these warnings?

[wkloucek]

• The not signed warnings go away when the admin clicks re-scan. Not sure why that is. Do we hve an ignore setting somewhere? The qnap app itseld is definitly not signed. OKAYISH.
• Additional warnings visible in the admin interface are

We definitely need to do a proper release and sign the QNAP app :-) Singing keys are there since this morning. When would you like to do that? make dist in the QNAP folder (after editing the info.xml) should be enough, at least it worked flawelessly for micbar this morning.

The QNAP theme will be set on the ignore list for the integrity checker since changing a template would trigger it again...

The "Strict-Transport-Security" warning is not applicable since we explicitly need to support http and https, therefore setting this would be a problem.

I will have a look into the other warnings.

[wkloucek]

the x-frame-options and x-xss-protection are there, but the last one has different value than recommended (but newer browsers don't use that anyways...).

Looks like headers are not treated case insensitive: https://github.com/owncloud/core/blob/eebd754771a99bc44820eb67a6d57cea238e6b86/core/js/setupchecks.js#L248

[jnweiger]

When I try to sign qnap at tag v1.4.1-rc2 I get this error:

Skipping signing, either no key and certificate found in /root/.owncloud/certificates/qnap.key and /root/.owncloud/certificates/qnap.crt or occ can not be found at /var/www/owncloud/repo/qnap/../../occ

and this warning:

WARNING: version from info.xml 1.4.1-rc1 and branch/tag v1.4.1-rc2 disagree -- to be sorted out manually

[jnweiger]

Signing of qnap now works for me. Forgot to re-link the certificates repo after the releasescripts repo was moved. Added https://github.com/owncloud/qnap/releases/download/v1.4.1-rc2/qnap-1.4.1-rc2.tar.gz OK.

We do not sign theme-qnap, it contains user editable parts. It is already in the ignore list and no longer shows up in the admin page. OK.

@oC-Chriddel are the remaining items here blocker?

[jnweiger]

Retested in rc4

• qnap app not signed:

  occ integrity:check-app qnap
  - EXCEPTION:
  - class: OC\IntegrityCheck\Exceptions\MissingSignatureException
  - message: Signature data not found.

• the three red admin warnings are still there

• And also during installation the package is not signed

[wkloucek]

These Security and Setup warnings appear:

• The "X-XSS-Protection" HTTP header is not configured to equal to "0". This is a potential security or privacy risk and we recommend adjusting this setting.
• The "X-Frame-Options" HTTP header is not configured to equal to "SAMEORIGIN". This is a potential security or privacy risk and we recommend adjusting this setting.
• The "Strict-Transport-Security" HTTP header is not configured to at least "15552000" seconds. For enhanced security we recommend enabling HSTS as described in our security tips.

The actual values are:

HTTP/1.1 200 OK
Date: Fri, 17 Sep 2021 11:11:01 GMT
Server:  
X-Frame-Options: SAMEORIGIN
Content-Security-Policy: script-src 'self' 'unsafe-inline' 'unsafe-eval' ; object-src 'self' ; worker-src 'self' blob:
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Robots-Tag: none
X-Frame-Options: SAMEORIGIN
X-Download-Options: noopen
X-Permitted-Cross-Domain-Policies: none
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-cache, no-store, must-revalidate
Pragma: no-cache
Content-Security-Policy: default-src 'none';manifest-src 'self';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 5985
Content-Type: text/html; charset=UTF-8
Strict-Transport-Security: max-age=0
Keep-Alive: timeout=15, max=96
Connection: Keep-Alive

I consider the security warnings as a non-blocker since we can't change the configuration of the QNAP proxy. Furthermore Strict-Transport-Security is not applicable since we are probably in a mixed http/https environment and X-Frame-Options looks to be set but I don't know why there is a warning...