From c962fcc10cd45274cd36a622c659ac73e9c7597d Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 27 Apr 2026 01:20:12 +0000 Subject: [PATCH] fix: extend signature verification and docs to cover Docker Hub nextcloud/all-in-one image Agent-Logs-Url: https://github.com/nextcloud/all-in-one/sessions/c9cb8e66-7b4f-4e38-ba33-b9568de6d421 Co-authored-by: szaimen <42591237+szaimen@users.noreply.github.com> --- php/src/Docker/DockerActionManager.php | 7 ++++--- readme.md | 13 +++++++++++-- 2 files changed, 15 insertions(+), 5 deletions(-) diff --git a/php/src/Docker/DockerActionManager.php b/php/src/Docker/DockerActionManager.php index 5c3c3c98..6f35ed06 100644 --- a/php/src/Docker/DockerActionManager.php +++ b/php/src/Docker/DockerActionManager.php @@ -559,9 +559,10 @@ readonly class DockerActionManager { } private function verifyImageSignature(string $imageName): void { - // Only verify images from the nextcloud-releases ghcr.io registry, - // as those are the images signed via the CI workflows in PR #97. - if (!str_starts_with($imageName, 'ghcr.io/nextcloud-releases/')) { + // Only verify images from the nextcloud-releases ghcr.io registry or + // the nextcloud/all-in-one Docker Hub image, as those are the images + // signed via the CI workflows in PR #97. + if (!str_starts_with($imageName, 'ghcr.io/nextcloud-releases/') && !str_starts_with($imageName, 'nextcloud/all-in-one')) { return; } diff --git a/readme.md b/readme.md index 2fb370e5..912a874d 100644 --- a/readme.md +++ b/readme.md @@ -1290,8 +1290,9 @@ AIO ships its own update notifications implementation. It checks if container up If you should run into issues with huge docker logs, you can adjust the log size by following https://docs.docker.com/config/containers/logging/local/#usage. However for the included AIO containers, this should usually not be needed because almost all of them have the log level set to warn so they should not produce many logs. ### How to verify the image signature? -All AIO images published to `ghcr.io/nextcloud-releases/` are signed using [cosign](https://github.com/sigstore/cosign) with keyless signing via GitHub Actions (Sigstore). You can verify the signature of the mastercontainer image before running it by installing cosign and executing: +All AIO images published to `ghcr.io/nextcloud-releases/` and the `nextcloud/all-in-one` Docker Hub image are signed using [cosign](https://github.com/sigstore/cosign) with keyless signing via GitHub Actions (Sigstore). You can verify the signature of the mastercontainer image before running it by installing cosign and executing one of the following commands depending on which registry you use: +For `ghcr.io/nextcloud-releases/all-in-one` (GitHub Container Registry): ```sh cosign verify \ --certificate-identity-regexp '^https://github\.com/nextcloud-releases/all-in-one/\.github/workflows/' \ @@ -1299,10 +1300,18 @@ cosign verify \ ghcr.io/nextcloud-releases/all-in-one:latest ``` +For `nextcloud/all-in-one` (Docker Hub): +```sh +cosign verify \ + --certificate-identity-regexp '^https://github\.com/nextcloud-releases/all-in-one/\.github/workflows/' \ + --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \ + nextcloud/all-in-one:latest +``` + Replace `latest` with the tag you intend to run (e.g. `beta`). A successful verification prints the signing certificate details and exits with code 0. Any non-zero exit code means the signature could not be verified and you should **not** run that image. > [!NOTE] -> AIO itself automatically verifies the cosign signature of every image it pulls from `ghcr.io/nextcloud-releases/` and refuses to pull images that fail verification. The manual command above lets you perform the same check independently before the initial `docker run`. +> AIO itself automatically verifies the cosign signature of every image it pulls from `ghcr.io/nextcloud-releases/` or `nextcloud/all-in-one` (Docker Hub) and refuses to pull images that fail verification. The manual command above lets you perform the same check independently before the initial `docker run`.