khanh.pndc/nextcloud-docs
1
0
Fork 0
mirror of https://github.com/nextcloud/documentation.git synced 2026-01-03 18:26:42 +07:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1924 from owncloud/add-code-signing

Browse Source 
Add some documentation about code signing
This commit is contained in:
Carla Schroder
2015-12-09 12:16:08 -08:00
parent 996837eef2 330bc8c8f6
commit 0dd30cb737
8 changed files with 729 additions and 295 deletions
Download Patch File Download Diff File Expand all files Collapse all files

217
admin_manual/issues/code_signing.rst Normal file
View File

@@ -0,0 +1,217 @@
============
Code Signing
============
.. sectionauthor:: Lukas Reschke <lukas@owncloud.com>
.. code_signing_label:
ownCloud supports code signing for the core releases, and for ownCloud
applications. Code signing gives our users an additional layer of security by
ensuring that nobody other than authorized persons can push updates.
It also ensures that all upgrades have been executed properly, so that no files
are left behind, and all old files are properly replaced. In the past, invalid
updates were a significant source of errors when updating ownCloud.
FAQ
---
Why Did ownCloud Add Code Signing?
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
By supporting Code Signing we add another layer of security by ensuring that
nobody other than authorized persons can push updates for applications, and
ensuring proper upgrades.
Do We Lock Down ownCloud?
^^^^^^^^^^^^^^^^^^^^^^^^^
The ownCloud project is open source and always will be. We do not want to
make it more difficult for our users to run ownCloud. Any code signing errors on
upgrades will not prevent ownCloud from running, but will display a warning on
the Admin page. For applications that are not tagged "Official" the code signing
process is optional.
Not Open Source Anymore?
^^^^^^^^^^^^^^^^^^^^^^^^
The ownCloud project is open source and always will be. The code signing
process is optional, though highly recommended. The code check for the
core parts of ownCloud is enabled when the ownCloud release version branch has
been set to stable.
For custom distributions of ownCloud it is recommended to change the release
version branch in version.php to something else than "stable".
Is Code Signing Mandatory For Apps?
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Code signing is optional for all third-party applications. Applications
with a tag of "Official" on apps.owncloud.com require code signing.
Fixing Invalid Code Integrity Messages
--------------------------------------
A code integrity error message ("There were problems with the code integrity
check. More information…") appears in a yellow banner at the top of your
ownCloud Web interface:
.. image:: images/code-integrity-notification.png
:alt: Code integrity warning banner.
Clicking on this link will take you to your ownCloud admin page, which provides
the following options:
1. Link to this documentation entry.
2. Show a list of invalid files.
3. Trigger a rescan.
.. image:: images/code-integrity-admin.png
:alt: Links for resolving code integrity warnings.
To debug issues caused by the code integrity check click on "List of invalid
files…", and you will be shown a text document listing the different issues. The
content of the file will look similar to the following example:
.. code-block:: text
Technical information
=====================
The following list covers which files have failed the integrity check. Please read
the previous linked documentation to learn more about the errors and how to fix
them.
Results
=======
- core
- INVALID_HASH
- /index.php
- /version.php
- EXTRA_FILE
- /test.php
- calendar
- EXCEPTION
- OC\IntegrityCheck\Exceptions\InvalidSignatureException
- Signature data not found.
Raw output
==========
Array
(
[core] => Array
(
[INVALID_HASH] => Array
(
[/index.php] => Array
(
[expected] =>
f1c5e2630d784bc9cb02d5a28f55d6f24d06dae2a0fee685f3
c2521b050955d9d452769f61454c9ddfa9c308146ade10546c
fa829794448eaffbc9a04a29d216
[current] =>
ce08bf30bcbb879a18b49239a9bec6b8702f52452f88a9d321
42cad8d2494d5735e6bfa0d8642b2762c62ca5be49f9bf4ec2
31d4a230559d4f3e2c471d3ea094
)
[/version.php] => Array
(
[expected] =>
c5a03bacae8dedf8b239997901ba1fffd2fe51271d13a00cc4
b34b09cca5176397a89fc27381cbb1f72855fa18b69b6f87d7
d5685c3b45aee373b09be54742ea
[current] =>
88a3a92c11db91dec1ac3be0e1c87f862c95ba6ffaaaa3f2c3
b8f682187c66f07af3a3b557a868342ef4a271218fe1c1e300
c478e6c156c5955ed53c40d06585
)
)
[EXTRA_FILE] => Array
(
[/test.php] => Array
(
[expected] =>
[current] =>
09563164f9904a837f9ca0b5f626db56c838e5098e0ccc1d8b
935f68fa03a25c5ec6f6b2d9e44a868e8b85764dafd1605522
b4af8db0ae269d73432e9a01e63a
)
)
)
[calendar] => Array
(
[EXCEPTION] => Array
(
[class] => OC\IntegrityCheck\Exceptions\InvalidSignature
Exception
[message] => Signature data not found.
)
)
)
In above error output it can be seen that:
1. In the ownCloud core (that is, the ownCloud server itself) the files
"index.php" and "version.php" do have the wrong version.
2. In the ownCloud core the unrequired extra file "/test.php" has been found.
3. It was not possible to verify the signature of the calendar application.
The solution is to upload the correct "index.php" and "version.php" files, and
delete the "test.php" file. For the calendar exception contact the developer of
the application. For other means on how to receive support please take a look at
https://owncloud.org/support/. After fixing these problems verify by clicking
"Rescan…".
Errors
------
The following errors can be encountered when trying to verify a code signature.
- ``INVALID_HASH``
- The file has a different hash than specified within ``signature.json``. This
usually happens when the file has been modified after writing the signature
data.
- ``MISSING_FILE``
- The file cannot be found but has been specified within ``signature.json``.
Either a required file has been left out, or ``signature.json`` needs to be
edited.
- ``EXTRA_FILE``
- The file does not exist in ``signature.json``. This usually happens when a
file has been removed and ``signature.json`` has not been updated.
- ``EXCEPTION``
- Another exception has prevented the code verification. There are currently
these following exceptions:
- ``Signature data not found.```
- The app has mandatory code signing enforced but no ``signature.json``
file has been found in its ``appinfo`` folder.
- ``Certificate is not valid.``
- The certificate has not been issued by the official ownCloud Code
Signing Root Authority.
- ``Certificate is not valid for required scope. (Requested: %s, current: %s)``
- The certificate is not valid for the defined application. Certificates
are only valid for the defined app identifier and cannot be used for
others.
- ``Signature could not get verified.``
- There was a problem with verifying the signature of ``signature.json``.

301
admin_manual/issues/general_troubleshooting.rst Normal file
View File

@@ -0,0 +1,301 @@
=======================
General Troubleshooting
=======================
If you have trouble installing, configuring or maintaining ownCloud, please
refer to our community support channels:
* `The ownCloud Forums`_
.. note:: The ownCloud forums have a `FAQ page`_ where each topic corresponds
to typical mistakes or frequently occurring issues
* `The ownCloud User mailing list`_
* The ownCloud IRC chat channel ``irc://#owncloud@freenode.net`` on
freenode.net, also accessible via `webchat`_
Please understand that all these channels essentially consist of users like you
helping each other out. Consider helping others out where you can, to
contribute
back for the help you get. This is the only way to keep a community like
ownCloud healthy and sustainable!
If you are using ownCloud in a business or otherwise large scale deployment,
note that ownCloud Inc. offers the `Enterprise Subscription`_ with commercial
support options.
Bugs
----
If you think you have found a bug in ownCloud, please:
* Search for a solution (see the options above)
* Double-check your configuration
If you can't find a solution, please use our `bugtracker`_.
.. _the ownCloud Forums: http://forum.owncloud.org
.. _FAQ page: https://forum.owncloud.org/viewforum.php?f=17
.. _the ownCloud User mailing list:
https://mailman.owncloud.org/mailman/listinfo/user
.. _webchat: http://webchat.freenode.net/?channels=owncloud
.. _Enterprise Subscription: https://owncloud.com/lp/community-or-enterprise/
.. _bugtracker:
http://doc.owncloud.org/server/9.0/developer_manual/bugtracker/index.html
.. TODO ON RELEASE: Update version number above on release
General Troubleshooting
-----------------------
When you see warnings about ``code integrity``, refer to :doc:`code_signing`.
Disable 3rdparty / non-shipped apps
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
It might be possible that 3rd party / non-shipped apps are causing various
different issues. Always disable 3rd party apps before upgrades, and for
troubleshooting. Please refer to the :ref:`apps_commands_label` on how
to disable an app from command line.
ownCloud Logfiles
^^^^^^^^^^^^^^^^^
In a standard ownCloud installation the log level is set to ``Normal``. To find
any issues you need to raise the log level to ``All`` in your ``config.php``
file, or to **Everything** on your ownCloud Admin page. Please see
:doc:`../configuration_server/logging_configuration` for more information on
these log levels.
Some logging - for example JavaScript console logging - needs manually editing
the configuration file. Edit :file:`config/config.php` and add
``define('DEBUG',
true);``::
<?php
define('DEBUG',true);
$CONFIG = array (
... configuration goes here ...
);
For JavaScript issues you will also need to view the javascript console. All
major browsers have developer tools for viewing the console, and you
usually access them by pressing F12. For Firefox we recommend to installing
the `Firebug extension <https://getfirebug.com/>`_.
.. note:: The logfile of ownCloud is located in the data directory
``owncloud/data/owncloud.log``.
.. _label-phpinfo:
PHP Version and Information
^^^^^^^^^^^^^^^^^^^^^^^^^^^
You will need to know your PHP version and configurations. To do this, create a
plain-text file named **phpinfo.php** and place it in your Web root, for
example ``/var/www/html/phpinfo.php``. (Your Web root may be in a different
location; your Linux distribution documentation will tell you where.) This file
contains just this line::
<?php phpinfo(); ?>
Open this file in a Web browser by pointing your browser to
``localhost/phpinfo.php``:
.. figure:: ../images/phpinfo.png
Your PHP version is at the top, and the rest of the page contains abundant
system information such as active modules, active `.ini` files, and much more.
When you are finished reviewing your information you must delete
``phpinfo.php``, or move it outside of your Web directory, because it is a
security risk to expose such sensitive data.
Debugging Sync Issues
^^^^^^^^^^^^^^^^^^^^^
.. note:: The data directory on the server is exclusive to ownCloud and must
not be modified manually.
Disregarding this can lead to unwanted behaviours like:
* Problems with sync clients
* Undetected changes due to caching in the database
If you need to directly upload files from the same server please use a WebDAV
command line client like ``cadaver`` to upload files to the WebDAV interface at:
https://example.org/owncloud/remote.php/webdav
Common problems / error messages
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Some common problems / error messages found in your logfiles as described above:
* ``SQLSTATE[HY000] [1040] Too many connections`` -> You need to increase the
connection limit of your database, please refer to the manual of your database
for more information.
* ``SQLSTATE[HY000]: General error: 5 database is locked`` -> You're using
``SQLite``
which can't handle a lot of parallel requests. Please consider converting to
another database like described in
:doc:`../configuration_database/db_conversion`.
* ``SQLSTATE[HY000]: General error: 2006 MySQL server has gone away`` -> The
database request takes too long and therefore the MySQL server times out. Its
also possible that the server is dropping a packet that is too large. Please
refer to the manual of your database for how to raise the config options
``wait_timeout`` and/or ``max_allowed_packet``.
* ``SQLSTATE[HY000] [2002] No such file or directory`` -> There is a problem
accessing your SQLite database file in your data directory
(``data/owncloud.db``). Please check the permissions of this folder/file or
if it exists at all. If you're using MySQL please start your database.
* ``Connection closed / Operation cancelled`` -> This could be caused by wrong
``KeepAlive`` settings within your Apache config. Make sure that
``KeepAlive`` is set to ``On`` and also try to raise the limits of
``KeepAliveTimeout`` and ``MaxKeepAliveRequests``.
* ``No basic authentication headers were found`` -> This error is shown in your
``data/owncloud.log`` file. Some Apache modules like ``mod_fastcgi``, ``mod_fcgid``
or ``mod_proxy_fcgi`` are not passing the needed authentication headers to
PHP and so the login to ownCloud via WebDAV, CalDAV and CardDAV clients is
failing. Information on how to correctly configure your environment can be
found at the `forums <https://forum.owncloud.org/viewtopic.php?f=17&t=30646>`_.
Troubleshooting Webserver and PHP problems
------------------------------------------
Logfiles
^^^^^^^^
When having issues the first step is to check the logfiles provided by PHP, the
Webserver and ownCloud itself.
.. note:: In the following the paths to the logfiles of a default Debian
installation running Apache2 with mod_php is assumed. On other webservers,
Linux distros or operating systems they can differ.
* The logfile of Apache2 is located in ``/var/log/apache2/error.log``.
* The logfile of PHP can be configured in your ``/etc/php5/apache2/php.ini``.
You need to set the directive ``log_errors`` to ``On`` and choose the path
to store the logfile in the ``error_log`` directive. After those changes you
need to restart your Webserver.
* The logfile of ownCloud is located in the data directory
``/var/www/owncloud/data/owncloud.log``.
Webserver and PHP modules
^^^^^^^^^^^^^^^^^^^^^^^^^
.. note:: Lighttpd is not supported with ownCloud, and some ownCloud features
may not work at all on Lighttpd.
There are some Webserver or PHP modules which are known to cause various
problems like broken up-/downloads. The following shows a draft overview of
these modules:
1. Apache
* mod_pagespeed
* mod_evasive
* mod_security
* mod_reqtimeout
* mod_deflate
* libapache2-mod-php5filter (use libapache2-mod-php5 instead)
* mod_spdy together with libapache2-mod-php5 / mod_php (use fcgi or php-fpm
instead)
* mod_dav
* mod_xsendfile / X-Sendfile (causing broken downloads if not configured
correctly)
2. NginX
* ngx_pagespeed
* HttpDavModule
* X-Sendfile (causing broken downloads if not configured correctly)
3. Mac OS X server
* mod_auth_apple
* com.apple.webapp.webdavsharing
4. PHP
* eAccelerator
Troubleshooting WebDAV
----------------------
ownCloud uses SabreDAV, and the SabreDAV documentation is comprehensive and
helpful.
.. note: Lighttpd is not supported on ownCloud, and Lighttpd WebDAV does not
work with ownCloud.
See:
* `SabreDAV FAQ <http://sabre.io/dav/faq/>`_
* `Webservers <http://sabre.io/dav/webservers>`_ (Lists lighttpd as not
recommended)
* `Working with large files <http://sabre.io/dav/large-files/>`_ (Shows a PHP
bug in older SabreDAV versions and information for mod_security problems)
* `0 byte files <http://sabre.io/dav/0bytes>`_ (Reasons for empty files on the
server)
* `Clients <http://sabre.io/dav/clients/>`_ (A comprehensive list of WebDAV
clients, and possible problems with each one)
* `Finder, OS X's built-in WebDAV client
<http://sabre.io/dav/clients/finder/>`_
(Describes problems with Finder on various webservers)
There is also a well maintained FAQ thread available at the `ownCloud Forums
<https://forum.owncloud.org/viewtopic.php?f=17&t=7536>`_
which contains various additional information about WebDAV problems.
Troubleshooting Contacts & Calendar
-----------------------------------
.. _service-discovery-label:
Service discovery
^^^^^^^^^^^^^^^^^
Some clients - especially iOS - have problems finding the proper sync URL, even
when explicitly configured to use it.
There are several techniques to remedy this, which are described extensively at
the `Sabre DAV website <http://sabre.io/dav/service-discovery/>`_.
If your ownCloud instance is installed in a subfolder under the web server's
document root and the client has difficulties finding the Cal- or CardDAV
end-points, configure your web server to redirect from a "well-known" URL to
the
one used by ownCloud. When using the Apache web server this is easily achieved
using a :file:`.htaccess` file in the document root of your site.
Say your instance is located in the ``owncloud`` folder, so the URL to it is
``ADDRESS/owncloud``, create or edit the :file:`.htaccess` file and add the
following lines::
Redirect 301 /.well-known/carddav /owncloud/remote.php/carddav
Redirect 301 /.well-known/caldav /owncloud/remote.php/caldav
Now change the URL in the client settings to just use ``ADDRESS`` instead of
e.g. ``ADDRESS/remote.php/carddav/principals/username``.
This problem is being discussed in the `forum
<http://forum.owncloud.org/viewtopic.php?f=3&t=71&p=2211#p2197>`_.
Unable to update Contacts or Events
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
If you get an error like ``PATCH https://ADDRESS/some_url HTTP/1.0 501 Not
Implemented`` it is likely caused by one of the following reasons:
Using Pound reverse-proxy/load balancer
As of writing this Pound doesn't support the HTTP/1.1 verb.
Pound is easily `patched
<http://www.apsis.ch/pound/pound_list/archive/2013/2013-08/1377264673000>`_
to support HTTP/1.1.
Other issues
------------
Some services like *Cloudflare* can cause issues by minimizing JavaScript
and loading it only when needed. When having issues like a not working
login button or creating new users make sure to disable such services
first.

BIN
admin_manual/issues/images/code-integrity-admin.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 29 KiB

BIN
admin_manual/issues/images/code-integrity-notification.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 9.1 KiB

301
admin_manual/issues/index.rst
View File

@@ -1,299 +1,10 @@
==========================
Issues and Troubleshooting
==========================
==========================
If you have trouble installing, configuring or maintaining ownCloud, please
refer to our community support channels:
.. toctree::
:maxdepth: 2
* `The ownCloud Forums`_
.. note:: The ownCloud forums have a `FAQ page`_ where each topic corresponds
to typical mistakes or frequently occurring issues
* `The ownCloud User mailing list`_
* The ownCloud IRC chat channel ``irc://#owncloud@freenode.net`` on
freenode.net, also accessible via `webchat`_
Please understand that all these channels essentially consist of users like you
helping each other out. Consider helping others out where you can, to
contribute
back for the help you get. This is the only way to keep a community like
ownCloud healthy and sustainable!
If you are using ownCloud in a business or otherwise large scale deployment,
note that ownCloud Inc. offers the `Enterprise Subscription`_ with commercial
support options.
Bugs
----
If you think you have found a bug in ownCloud, please:
* Search for a solution (see the options above)
* Double-check your configuration
If you can't find a solution, please use our `bugtracker`_.
.. _the ownCloud Forums: http://forum.owncloud.org
.. _FAQ page: https://forum.owncloud.org/viewforum.php?f=17
.. _the ownCloud User mailing list:
https://mailman.owncloud.org/mailman/listinfo/user
.. _webchat: http://webchat.freenode.net/?channels=owncloud
.. _Enterprise Subscription: https://owncloud.com/lp/community-or-enterprise/
.. _bugtracker:
http://doc.owncloud.org/server/9.0/developer_manual/bugtracker/index.html
.. TODO ON RELEASE: Update version number above on release
General Troubleshooting
-----------------------
Disable 3rdparty / non-shipped apps
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
It might be possible that 3rd party / non-shipped apps are causing various
different issues. Always disable 3rd party apps before upgrades, and for
troubleshooting. Please refer to the :ref:`apps_commands_label` on how
to disable an app from command line.
ownCloud Logfiles
^^^^^^^^^^^^^^^^^
In a standard ownCloud installation the log level is set to ``Normal``. To find
any issues you need to raise the log level to ``All`` in your ``config.php``
file, or to **Everything** on your ownCloud Admin page. Please see
:doc:`../configuration_server/logging_configuration` for more information on
these log levels.
Some logging - for example JavaScript console logging - needs manually editing
the configuration file. Edit :file:`config/config.php` and add
``define('DEBUG',
true);``::
<?php
define('DEBUG',true);
$CONFIG = array (
... configuration goes here ...
);
For JavaScript issues you will also need to view the javascript console. All
major browsers have developer tools for viewing the console, and you
usually access them by pressing F12. For Firefox we recommend to installing
the `Firebug extension <https://getfirebug.com/>`_.
.. note:: The logfile of ownCloud is located in the data directory
``owncloud/data/owncloud.log``.
.. _label-phpinfo:
PHP Version and Information
^^^^^^^^^^^^^^^^^^^^^^^^^^^
You will need to know your PHP version and configurations. To do this, create a
plain-text file named **phpinfo.php** and place it in your Web root, for
example ``/var/www/html/phpinfo.php``. (Your Web root may be in a different
location; your Linux distribution documentation will tell you where.) This file
contains just this line::
<?php phpinfo(); ?>
Open this file in a Web browser by pointing your browser to
``localhost/phpinfo.php``:
.. figure:: ../images/phpinfo.png
Your PHP version is at the top, and the rest of the page contains abundant
system information such as active modules, active `.ini` files, and much more.
When you are finished reviewing your information you must delete
``phpinfo.php``, or move it outside of your Web directory, because it is a
security risk to expose such sensitive data.
Debugging Sync Issues
^^^^^^^^^^^^^^^^^^^^^
.. note:: The data directory on the server is exclusive to ownCloud and must
not be modified manually.
Disregarding this can lead to unwanted behaviours like:
* Problems with sync clients
* Undetected changes due to caching in the database
If you need to directly upload files from the same server please use a WebDAV
command line client like ``cadaver`` to upload files to the WebDAV interface at:
https://example.org/owncloud/remote.php/webdav
Common problems / error messages
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Some common problems / error messages found in your logfiles as described above:
* ``SQLSTATE[HY000] [1040] Too many connections`` -> You need to increase the
connection limit of your database, please refer to the manual of your database
for more information.
* ``SQLSTATE[HY000]: General error: 5 database is locked`` -> You're using
``SQLite``
which can't handle a lot of parallel requests. Please consider converting to
another database like described in
:doc:`../configuration_database/db_conversion`.
* ``SQLSTATE[HY000]: General error: 2006 MySQL server has gone away`` -> The
database request takes too long and therefore the MySQL server times out. Its
also possible that the server is dropping a packet that is too large. Please
refer to the manual of your database for how to raise the config options
``wait_timeout`` and/or ``max_allowed_packet``.
* ``SQLSTATE[HY000] [2002] No such file or directory`` -> There is a problem
accessing your SQLite database file in your data directory
(``data/owncloud.db``). Please check the permissions of this folder/file or
if it exists at all. If you're using MySQL please start your database.
* ``Connection closed / Operation cancelled`` -> This could be caused by wrong
``KeepAlive`` settings within your Apache config. Make sure that
``KeepAlive`` is set to ``On`` and also try to raise the limits of
``KeepAliveTimeout`` and ``MaxKeepAliveRequests``.
* ``No basic authentication headers were found`` -> This error is shown in your
``data/owncloud.log`` file. Some Apache modules like ``mod_fastcgi``, ``mod_fcgid``
or ``mod_proxy_fcgi`` are not passing the needed authentication headers to
PHP and so the login to ownCloud via WebDAV, CalDAV and CardDAV clients is
failing. Information on how to correctly configure your environment can be
found at the `forums <https://forum.owncloud.org/viewtopic.php?f=17&t=30646>`_.
Troubleshooting Webserver and PHP problems
------------------------------------------
Logfiles
^^^^^^^^
When having issues the first step is to check the logfiles provided by PHP, the
Webserver and ownCloud itself.
.. note:: In the following the paths to the logfiles of a default Debian
installation running Apache2 with mod_php is assumed. On other webservers,
Linux distros or operating systems they can differ.
* The logfile of Apache2 is located in ``/var/log/apache2/error.log``.
* The logfile of PHP can be configured in your ``/etc/php5/apache2/php.ini``.
You need to set the directive ``log_errors`` to ``On`` and choose the path
to store the logfile in the ``error_log`` directive. After those changes you
need to restart your Webserver.
* The logfile of ownCloud is located in the data directory
``/var/www/owncloud/data/owncloud.log``.
Webserver and PHP modules
^^^^^^^^^^^^^^^^^^^^^^^^^
.. note:: Lighttpd is not supported with ownCloud, and some ownCloud features
may not work at all on Lighttpd.
There are some Webserver or PHP modules which are known to cause various
problems like broken up-/downloads. The following shows a draft overview of
these modules:
1. Apache
* mod_pagespeed
* mod_evasive
* mod_security
* mod_reqtimeout
* mod_deflate
* libapache2-mod-php5filter (use libapache2-mod-php5 instead)
* mod_spdy together with libapache2-mod-php5 / mod_php (use fcgi or php-fpm
instead)
* mod_dav
* mod_xsendfile / X-Sendfile (causing broken downloads if not configured
correctly)
2. NginX
* ngx_pagespeed
* HttpDavModule
* X-Sendfile (causing broken downloads if not configured correctly)
3. Mac OS X server
* mod_auth_apple
* com.apple.webapp.webdavsharing
4. PHP
* eAccelerator
Troubleshooting WebDAV
----------------------
ownCloud uses SabreDAV, and the SabreDAV documentation is comprehensive and
helpful.
.. note: Lighttpd is not supported on ownCloud, and Lighttpd WebDAV does not
work with ownCloud.
See:
* `SabreDAV FAQ <http://sabre.io/dav/faq/>`_
* `Webservers <http://sabre.io/dav/webservers>`_ (Lists lighttpd as not
recommended)
* `Working with large files <http://sabre.io/dav/large-files/>`_ (Shows a PHP
bug in older SabreDAV versions and information for mod_security problems)
* `0 byte files <http://sabre.io/dav/0bytes>`_ (Reasons for empty files on the
server)
* `Clients <http://sabre.io/dav/clients/>`_ (A comprehensive list of WebDAV
clients, and possible problems with each one)
* `Finder, OS X's built-in WebDAV client
<http://sabre.io/dav/clients/finder/>`_
(Describes problems with Finder on various webservers)
There is also a well maintained FAQ thread available at the `ownCloud Forums
<https://forum.owncloud.org/viewtopic.php?f=17&t=7536>`_
which contains various additional information about WebDAV problems.
Troubleshooting Contacts & Calendar
-----------------------------------
.. _service-discovery-label:
Service discovery
^^^^^^^^^^^^^^^^^
Some clients - especially iOS - have problems finding the proper sync URL, even
when explicitly configured to use it.
There are several techniques to remedy this, which are described extensively at
the `Sabre DAV website <http://sabre.io/dav/service-discovery/>`_.
If your ownCloud instance is installed in a subfolder under the web server's
document root and the client has difficulties finding the Cal- or CardDAV
end-points, configure your web server to redirect from a "well-known" URL to
the
one used by ownCloud. When using the Apache web server this is easily achieved
using a :file:`.htaccess` file in the document root of your site.
Say your instance is located in the ``owncloud`` folder, so the URL to it is
``ADDRESS/owncloud``, create or edit the :file:`.htaccess` file and add the
following lines::
Redirect 301 /.well-known/carddav /owncloud/remote.php/carddav
Redirect 301 /.well-known/caldav /owncloud/remote.php/caldav
Now change the URL in the client settings to just use ``ADDRESS`` instead of
e.g. ``ADDRESS/remote.php/carddav/principals/username``.
This problem is being discussed in the `forum
<http://forum.owncloud.org/viewtopic.php?f=3&t=71&p=2211#p2197>`_.
Unable to update Contacts or Events
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
If you get an error like ``PATCH https://ADDRESS/some_url HTTP/1.0 501 Not
Implemented`` it is likely caused by one of the following reasons:
Using Pound reverse-proxy/load balancer
As of writing this Pound doesn't support the HTTP/1.1 verb.
Pound is easily `patched
<http://www.apsis.ch/pound/pound_list/archive/2013/2013-08/1377264673000>`_
to support HTTP/1.1.
Other issues
------------
Some services like *Cloudflare* can cause issues by minimizing JavaScript
and loading it only when needed. When having issues like a not working
login button or creating new users make sure to disable such services
first.
general_troubleshooting
code_signing

200
developer_manual/app/code_signing.rst Normal file
View File

@@ -0,0 +1,200 @@
============
Code Signing
============
.. sectionauthor:: Lukas Reschke <lukas@owncloud.com>
ownCloud supports code signing for the core releases, and for ownCloud
applications. Code signing gives our users an additional layer of security by
ensuring that nobody other than authorized persons can push updates.
It also ensures that all upgrades have been executed properly, so that no files
are left behind, and all old files are properly replaced. In the past, invalid
updates were a significant source of errors when updating ownCloud.
FAQ
---
Why Did ownCloud Add Code Signing?
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
By supporting Code Signing we add another layer of security by ensuring that
nobody other than authorized persons can push updates for applications, and
ensuring proper upgrades.
Do We Lock Down ownCloud?
^^^^^^^^^^^^^^^^^^^^^^^^^
The ownCloud project is open source and always will be. We do not want to make
it more difficult for our users to run ownCloud. Any code signing errors on
upgrades will not prevent ownCloud from running, but will display a warning on
the Admin page. For applications that are not tagged "Official" the code signing
process is optional.
Not Open Source Anymore?
^^^^^^^^^^^^^^^^^^^^^^^^
The ownCloud project is open source and always will be. The code signing
process is optional, though highly recommended. The code check for the
core parts of ownCloud is enabled when the ownCloud release version branch has
been set to stable.
For custom distributions of ownCloud it is recommended to change the release
version branch in version.php to something else than "stable".
Is Code Signing Mandatory For Apps?
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Code signing is optional for all third-party applications. Applications
with a tag of "Official" on apps.owncloud.com require code signing.
Technical details
-----------------
ownCloud uses a X.509 based approach to handle authentication of code. Each
ownCloud release contains the certificate of a shipped ownCloud Code Signing
Root Authority. The private key of this certificate is only accessible to the
project leader, who may grant trusted project members with a copy of this
private key.
This Root Authority is only used for signing certificate signing requests (CSRs)
for additional certificates. Certificates issued by the Root Authority must
always to be limited to a specific scope, usually the application identifier.
This enforcement is done using the ``CN`` attribute of the certificate.
Code signing is then done by creating a ``signature.json`` file with the
following content:
.. code-block:: json
{
"hashes": {
"/filename.php":
"2401fed2eea6f2c1027c482a633e8e25cd46701f811e2d2c10dc213fd95fa60e350b
ccbbebdccc73a042b1a2799f673fbabadc783284cc288e4f1a1eacb74e3d",
"/lib/base.php":
"55548cc16b457cd74241990cc9d3b72b6335f2e5f45eee95171da024087d114fcbc2
effc3d5818a6d5d55f2ae960ab39fd0414d0c542b72a3b9e08eb21206dd9"
},
"certificate": "-----BEGIN CERTIFICATE-----
MIIBvTCCASagAwIBAgIUPvawyqJwCwYazcv7iz16TWxfeUMwDQYJKoZIhvcNAQEF\
nBQAwIzEhMB8GA1UECgwYb3duQ2xvdWQgQ29kZSBTaWduaW5nIENBMB4XDTE1MTAx\
nNDEzMTcxMFoXDTE2MTAxNDEzMTcxMFowEzERMA8GA1UEAwwIY29udGFjdHMwgZ8w\
nDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANoQesGdCW0L2L+a2xITYipixkScrIpB\
nkX5Snu3fs45MscDb61xByjBSlFgR4QI6McoCipPw4SUr28EaExVvgPSvqUjYLGps\
nfiv0Cvgquzbx/X3mUcdk9LcFo1uWGtrTfkuXSKX41PnJGTr6RQWGIBd1V52q1qbC\
nJKkfzyeMeuQfAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAvF/KIhRMQ3tYTmgHWsiM\
nwDMgIDb7iaHF0fS+/Nvo4PzoTO/trev6tMyjLbJ7hgdCpz/1sNzE11Cibf6V6dsz\
njCE9invP368Xv0bTRObRqeSNsGogGl5ceAvR0c9BG+NRIKHcly3At3gLkS2791bC\
niG+UxI/MNcWV0uJg9S63LF8=\n
-----END CERTIFICATE-----",
"signature": "U29tZVNpZ25lZERhdGFFeGFtcGxl"
}
``hashes`` is an array of all files in the folder with their corresponding
SHA-512 hashes. ``certificate`` is the certificate used for signing. It has to
be issued by the ownCloud Root Authority, and its CN needs to be permitted to
perform the required action. The ``signature`` is then a signature of the hashes
which can be verified using the certificate.
Having the certificate bundled within the ``signature.json`` file has the
advantage that even if a developer loses their certificate, future updates can
still be ensured by having a new certificate issued.
How Code Signing Affects Apps in the App Store
----------------------------------------------
- Apps which have an ``official`` tag **MUST** be code signed starting with
ownCloud 9.0. Unsigned ``official`` apps won't be installable anymore.
- Apps which have been signed in a previous release **MUST** be code-signed in
all future releases as well, otherwise the update will be refused.
How to Get Your App Signed
--------------------------
The following commands require that you have OpenSSL installed on your machine.
Ensure that you keep all generated files to sign your application. The following
examples will assume that you are trying to sign an application named
"contacts".
1. Generate a private key and CSR: ``openssl req -new -newkey rsa:2048 -nodes
-keyout contacts.key -out contacts.csr``
- Country Name: [press enter]
- State or Province name: [press enter]
- Organization Name: [press enter]
- Organizational Unit Name: [press enter]
- Common Name: contacts
- Email Address: [press enter]
- A challenge password: [press enter]
- An optional company name: [press enter]
2. Post the CSR at https://github.com/owncloud/appstore-issues, and configure
your GitHub account to show your mail address in your profile. ownCloud
might ask you for further information to verify that you're the legitimate
owner of the application.
3. ownCloud will provide you with the signed certificate.
4. Run ``./occ integrity:sign-app`` to sign your application, and specify
your private and the public key. A valid example looks like: ``./occ
integrity:sign-app --privateKey=/Users/lukasreschke/contacts.key
--certificate=/Users/lukasreschke/CA/contacts.crt --appId=contacts``
The occ tool will store a ``signature.json`` file within the ``appinfo`` folder
of your application. Then compress the application folder and upload it to
apps.owncloud.com. Be aware that doing any changes to the application after it
has been signed requires another signing. So if you do not want to have some
files shipped remove them before running the signing command.
In case you lose your certificate please submit a new CSR as described above and
mention that you have lost the previous one. ownCloud will revoke the old
certificate.
Errors
------
The following errors can be encountered when trying to verify a code signature.
For information about how to get access to those results please refer to the
Issues section of the ownCloud Server Administration
manual.
- ``INVALID_HASH``
- The file has a different hash than specified within ``signature.json``. This
usually happens when the file has been modified after writing the signature
data.
- ``MISSING_FILE``
- The file cannot be found but has been specified within ``signature.json``.
Either a required file has been left out, or ``signature.json`` needs to be
edited.
- ``EXTRA_FILE``
- The file does not exist in ``signature.json``. This usually happens when a
file has been removed and ``signature.json`` has not been updated.
- ``EXCEPTION``
- Another exception has prevented the code verification. There are currently
these following exceptions:
- ``Signature data not found.```
- The app has mandatory code signing enforced but no ``signature.json``
file has been found in its ``appinfo`` folder.
- ``Certificate is not valid.``
- The certificate has not been issued by the official ownCloud Code
Signing Root Authority.
- ``Certificate is not valid for required scope. (Requested: %s, current:
%s)``
- The certificate is not valid for the defined application. Certificates
are only valid for the defined app identifier and cannot be used for
others.
- ``Signature could not get verified.``
- There was a problem with verifying the signature of ``signature.json``.

4
developer_manual/app/index.rst
View File

@@ -61,6 +61,10 @@ Once you are ready for publishing, check out the app store process:
* :doc:`publishing`
For enhanced security it is also possible to sign your code:
* :doc:`code_signing`
App development
===============
Take a look at the changes in this version:

1
go.php
View File

@@ -24,6 +24,7 @@ $mapping = array(
'admin-reverse-proxy' => '/admin_manual/configuration_server/reverse_proxy_configuration.html',
'admin-php-fpm' => '/admin_manual/installation/source_installation.html#configuration-notes-to-php-fpm',
'admin-transactional-locking' => '/admin_manual/configuration_files/files_locking_transactional.html',
'admin-code-integrity' => '/admin_manual/issues/code_signing.html',
'developer-theming' => '/developer_manual/core/theming.html',