Open jnweiger opened 3 years ago
Retested with https://github.com/owncloud/qnap-packaging/releases/download/v10.8.0.0-rc3/ownCloud_10.8.0.0-r_x86_64.qpkg
@wkloucek can we fix these warnings?
- The not signed warnings go away when the admin clicks re-scan. Not sure why that is. Do we hve an ignore setting somewhere? The qnap app itseld is definitly not signed. OKAYISH.
- Additional warnings visible in the admin interface are
We definitely need to do a proper release and sign the QNAP app :-) Singing keys are there since this morning. When would you like to do that? make dist
in the QNAP folder (after editing the info.xml) should be enough, at least it worked flawelessly for micbar this morning.
The QNAP theme will be set on the ignore list for the integrity checker since changing a template would trigger it again...
The "Strict-Transport-Security" warning is not applicable since we explicitly need to support http and https, therefore setting this would be a problem.
I will have a look into the other warnings.
the x-frame-options
and x-xss-protection
are there, but the last one has different value than recommended (but newer browsers don't use that anyways...).
Looks like headers are not treated case insensitive: https://github.com/owncloud/core/blob/eebd754771a99bc44820eb67a6d57cea238e6b86/core/js/setupchecks.js#L248
When I try to sign qnap at tag v1.4.1-rc2 I get this error:
Skipping signing, either no key and certificate found in /root/.owncloud/certificates/qnap.key and /root/.owncloud/certificates/qnap.crt or occ can not be found at /var/www/owncloud/repo/qnap/../../occ
and this warning:
WARNING: version from info.xml 1.4.1-rc1 and branch/tag v1.4.1-rc2 disagree -- to be sorted out manually
Signing of qnap
now works for me. Forgot to re-link the certificates repo after the releasescripts repo was moved.
Added https://github.com/owncloud/qnap/releases/download/v1.4.1-rc2/qnap-1.4.1-rc2.tar.gz OK.
We do not sign theme-qnap, it contains user editable parts. It is already in the ignore list and no longer shows up in the admin page. OK.
@oC-Chriddel are the remaining items here blocker?
qnap app not signed:
occ integrity:check-app qnap
- EXCEPTION:
- class: OC\IntegrityCheck\Exceptions\MissingSignatureException
- message: Signature data not found.
the three red admin warnings are still there
And also during installation the package is not signed
These Security and Setup warnings appear:
The actual values are:
HTTP/1.1 200 OK
Date: Fri, 17 Sep 2021 11:11:01 GMT
Server:
X-Frame-Options: SAMEORIGIN
Content-Security-Policy: script-src 'self' 'unsafe-inline' 'unsafe-eval' ; object-src 'self' ; worker-src 'self' blob:
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Robots-Tag: none
X-Frame-Options: SAMEORIGIN
X-Download-Options: noopen
X-Permitted-Cross-Domain-Policies: none
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-cache, no-store, must-revalidate
Pragma: no-cache
Content-Security-Policy: default-src 'none';manifest-src 'self';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 5985
Content-Type: text/html; charset=UTF-8
Strict-Transport-Security: max-age=0
Keep-Alive: timeout=15, max=96
Connection: Keep-Alive
I consider the security warnings as a non-blocker since we can't change the configuration of the QNAP proxy. Furthermore Strict-Transport-Security
is not applicable since we are probably in a mixed http/https environment and X-Frame-Options
looks to be set but I don't know why there is a warning...
Seen with ownCloud for QNAP 10.8.0 RC1 from
ownCloud_10.8.0_arm-x41.qpkg
The code integrity checker complains: