From e5aaacf07ef5f0256732ae5937173cfae457c6f0 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Mon, 27 Apr 2026 01:14:47 +0000
Subject: [PATCH] feat: verify mastercontainer image signature before starting
 watchtower

Agent-Logs-Url: https://github.com/nextcloud/all-in-one/sessions/a09baa5e-3611-40ef-a9a2-d14d9db094b1

Co-authored-by: szaimen <42591237+szaimen@users.noreply.github.com>
---
 php/src/Controller/DockerController.php |  1 +
 php/src/Docker/DockerActionManager.php  | 11 +++++++++--
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/php/src/Controller/DockerController.php b/php/src/Controller/DockerController.php
index 835ed6d5..f271d3ec 100644
--- a/php/src/Controller/DockerController.php
+++ b/php/src/Controller/DockerController.php
@@ -281,6 +281,7 @@ readonly class DockerController {
     }
 
     public function startWatchtower(?\Closure $addToStreamingResponseBody = null) : void {
+        $this->dockerActionManager->verifyMastercontainerImageSignature();
         $id = 'nextcloud-aio-watchtower';
 
         $this->PerformRecursiveContainerStart($id, true, $addToStreamingResponseBody);
diff --git a/php/src/Docker/DockerActionManager.php b/php/src/Docker/DockerActionManager.php
index 18af9d33..5c3c3c98 100644
--- a/php/src/Docker/DockerActionManager.php
+++ b/php/src/Docker/DockerActionManager.php
@@ -586,7 +586,7 @@ readonly class DockerActionManager {
         );
 
         if (!is_resource($process)) {
-            throw new \Exception('Could not run cosign to verify image ' . $imageName);
+            throw new \Exception('Could not execute cosign command to verify image ' . $imageName . '. Ensure cosign is installed and accessible.');
         }
 
         $stderr = stream_get_contents($pipes[2]);
@@ -594,10 +594,17 @@ readonly class DockerActionManager {
         $exitCode = proc_close($process);
 
         if ($exitCode !== 0) {
-            throw new \Exception('Image signature verification failed for ' . $imageName . ': ' . ($stderr !== false ? $stderr : ''));
+            $stderrOutput = $stderr !== false ? $stderr : '';
+            error_log('cosign verification output for ' . $imageName . ': ' . $stderrOutput);
+            throw new \Exception('Image signature verification failed for ' . $imageName . '. The image may not be correctly signed.');
         }
     }
 
+    public function verifyMastercontainerImageSignature(): void {
+        $imageName = $this->GetCurrentImageName() . ':' . $this->GetCurrentChannel();
+        $this->verifyImageSignature($imageName);
+    }
+
     private function isContainerUpdateAvailable(string $id): string {
         $container = $this->containerDefinitionFetcher->GetContainerById($id);