Code signing is a major feature of ownCloud 9.0

Mar 1, 2016 21:30 GMT  ·  By

The ownCloud 9.0 self-hosting cloud server will be officially released in the coming weeks with numerous new features, some of which we have revealed here during the past few months, but there are some more to be unveiled soon.

One of these upcoming features is code signing, which will be among the main attractions of the major ownCloud 9.0 release as it promises to offer users with a safer home for all their data by verifying the integrity of their ownCloud installations.

Thanks to code signing and verification, you can rest assured that your entire ownCloud server is safe and secure. If one or more of the installation files are changed by a malevolent third party, the administrator will be immediately notified.

"Signing is performed by generating a cryptographically signed checksum over the content of the files. This checksum is verified before executing the code or before or after certain operations like upgrading or installation," ownCloud developers explain.

Reliable upgrades, improved security

The main reason behind the implementation of code signing in ownCloud is to provide users with a more reliable upgrade process, as well as an extra layer of security for their self-hosting cloud server installation, but it's also an important step towards more secure application delivery.

It is a known fact that installing ownCloud apps could modify some of the installation file on the server because they're not fully sandboxed. Follow the code signing steps to cryptographically sign the applications and verify them during installation and execution.

When we say cryptographically signing apps, we mean the current version and future updates, something that application developers need to be aware of when publishing new versions of their apps, and something that they need to learn how to do now before ownCloud 9.0 hits the streets.

"This measure makes even active MITM attacks with valid SSL certificates infeasible. Even in worst case scenario of a hacked application store it is not possible to fake the signature, as we do not store sensitive key material on this machine and the keys are only accessible to a very small number of people," says Lukas Reschke, ownCloud security expert.

Of course, this is part of an ongoing work on making the ownCloud upgrades more robust, which we talked about in mid-January 2016, when we reported on the fact that the entire upgrade process will be separated from the rest of the ownCloud installation.

Update: We're updating the article with a little note from ownCloud's Lukas Reschke, who says that the code signing functionality will not detect runtime modifications, but only when installing or updating your ownCloud server!