feat: verify mastercontainer image signature before starting watchtower

Agent-Logs-Url: https://github.com/nextcloud/all-in-one/sessions/a09baa5e-3611-40ef-a9a2-d14d9db094b1

Co-authored-by: szaimen <42591237+szaimen@users.noreply.github.com>

php/src/Controller/DockerController.php

@@ -281,6 +281,7 @@ readonly class DockerController {
     }
 
     public function startWatchtower(?\Closure $addToStreamingResponseBody = null) : void {
+        $this->dockerActionManager->verifyMastercontainerImageSignature();
         $id = 'nextcloud-aio-watchtower';
 
         $this->PerformRecursiveContainerStart($id, true, $addToStreamingResponseBody);

php/src/Docker/DockerActionManager.php

@@ -586,7 +586,7 @@ readonly class DockerActionManager {
         );
 
         if (!is_resource($process)) {
-            throw new \Exception('Could not run cosign to verify image ' . $imageName);
+            throw new \Exception('Could not execute cosign command to verify image ' . $imageName . '. Ensure cosign is installed and accessible.');
         }
 
         $stderr = stream_get_contents($pipes[2]);
@@ -594,10 +594,17 @@ readonly class DockerActionManager {
         $exitCode = proc_close($process);
 
         if ($exitCode !== 0) {
-            throw new \Exception('Image signature verification failed for ' . $imageName . ': ' . ($stderr !== false ? $stderr : ''));
+            $stderrOutput = $stderr !== false ? $stderr : '';
+            error_log('cosign verification output for ' . $imageName . ': ' . $stderrOutput);
+            throw new \Exception('Image signature verification failed for ' . $imageName . '. The image may not be correctly signed.');
         }
     }
 
+    public function verifyMastercontainerImageSignature(): void {
+        $imageName = $this->GetCurrentImageName() . ':' . $this->GetCurrentChannel();
+        $this->verifyImageSignature($imageName);
+    }
+
     private function isContainerUpdateAvailable(string $id): string {
         $container = $this->containerDefinitionFetcher->GetContainerById($id);