diff --git a/php/src/Controller/DockerController.php b/php/src/Controller/DockerController.php index 835ed6d5..f271d3ec 100644 --- a/php/src/Controller/DockerController.php +++ b/php/src/Controller/DockerController.php @@ -281,6 +281,7 @@ readonly class DockerController { } public function startWatchtower(?\Closure $addToStreamingResponseBody = null) : void { + $this->dockerActionManager->verifyMastercontainerImageSignature(); $id = 'nextcloud-aio-watchtower'; $this->PerformRecursiveContainerStart($id, true, $addToStreamingResponseBody); diff --git a/php/src/Docker/DockerActionManager.php b/php/src/Docker/DockerActionManager.php index 18af9d33..5c3c3c98 100644 --- a/php/src/Docker/DockerActionManager.php +++ b/php/src/Docker/DockerActionManager.php @@ -586,7 +586,7 @@ readonly class DockerActionManager { ); if (!is_resource($process)) { - throw new \Exception('Could not run cosign to verify image ' . $imageName); + throw new \Exception('Could not execute cosign command to verify image ' . $imageName . '. Ensure cosign is installed and accessible.'); } $stderr = stream_get_contents($pipes[2]); @@ -594,10 +594,17 @@ readonly class DockerActionManager { $exitCode = proc_close($process); if ($exitCode !== 0) { - throw new \Exception('Image signature verification failed for ' . $imageName . ': ' . ($stderr !== false ? $stderr : '')); + $stderrOutput = $stderr !== false ? $stderr : ''; + error_log('cosign verification output for ' . $imageName . ': ' . $stderrOutput); + throw new \Exception('Image signature verification failed for ' . $imageName . '. The image may not be correctly signed.'); } } + public function verifyMastercontainerImageSignature(): void { + $imageName = $this->GetCurrentImageName() . ':' . $this->GetCurrentChannel(); + $this->verifyImageSignature($imageName); + } + private function isContainerUpdateAvailable(string $id): string { $container = $this->containerDefinitionFetcher->GetContainerById($id);