daenamnu/nextcloud
1
0
Fork 0
mirror of https://github.com/nextcloud/all-in-one.git synced 2026-05-28 14:30:13 +00:00
Code Issues Packages Projects Releases Wiki Activity

docs: document how to verify image signature in readme

Browse Source 
Agent-Logs-Url: https://github.com/nextcloud/all-in-one/sessions/0127a09a-2fa8-4d32-9215-751016cf7db9

Co-authored-by: szaimen <42591237+szaimen@users.noreply.github.com>
This commit is contained in:
copilot-swe-agent[bot]
2026-04-27 01:17:50 +00:00
committed by GitHub
parent e5aaacf07e
commit 2a2e69f047
1 changed files with 19 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
readme.md
View File

@@ -231,6 +231,9 @@ sudo docker run \
> [!NOTE]
> For production usage (and ease of upgrades and changes), we suggest using the example [Compose file](https://github.com/nextcloud/all-in-one/blob/main/compose.yaml) rather than `docker run`.
> [!TIP]
> You can optionally verify the cryptographic signature of the mastercontainer image before running it. See [How to verify the image signature?](#how-to-verify-the-image-signature)
4. After the initial startup, open the Nextcloud AIO interface on port 8080 of this server **by IP address**, for example:
```txt
https://192.168.5.5:8080
@@ -357,6 +360,7 @@ https://your-domain-that-points-to-this-server.tld:8443
- [Update policy](#update-policy)
- [How often are update notifications sent?](#how-often-are-update-notifications-sent)
- [Huge docker logs](#huge-docker-logs)
- [How to verify the image signature?](#how-to-verify-the-image-signature)
### Where can I find additional documentation?
Some of the documentation is available on [GitHub Discussions](https://github.com/nextcloud/all-in-one/discussions/categories/wiki).
@@ -1285,6 +1289,21 @@ AIO ships its own update notifications implementation. It checks if container up
### Huge docker logs
If you should run into issues with huge docker logs, you can adjust the log size by following https://docs.docker.com/config/containers/logging/local/#usage. However for the included AIO containers, this should usually not be needed because almost all of them have the log level set to warn so they should not produce many logs.
### How to verify the image signature?
All AIO images published to `ghcr.io/nextcloud-releases/` are signed using [cosign](https://github.com/sigstore/cosign) with keyless signing via GitHub Actions (Sigstore). You can verify the signature of the mastercontainer image before running it by installing cosign and executing:
```sh
cosign verify \
--certificate-identity-regexp '^https://github\.com/nextcloud-releases/all-in-one/\.github/workflows/' \
--certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
ghcr.io/nextcloud-releases/all-in-one:latest
```
Replace `latest` with the tag you intend to run (e.g. `beta`). A successful verification prints the signing certificate details and exits with code 0. Any non-zero exit code means the signature could not be verified and you should **not** run that image.
> [!NOTE]
> AIO itself automatically verifies the cosign signature of every image it pulls from `ghcr.io/nextcloud-releases/` and refuses to pull images that fail verification. The manual command above lets you perform the same check independently before the initial `docker run`.
<details>
<summary>Badges</summary>