feat: add skip_cosign_check URL parameter to temporarily bypass cosign verification

Agent-Logs-Url: https://github.com/nextcloud/all-in-one/sessions/d269a60b-15fe-4f81-a51e-c4d8212e0d5b Co-authored-by: szaimen <42591237+szaimen@users.noreply.github.com>
2026-05-21 02:40:09 +00:00 · 2026-04-27 01:29:36 +00:00
parent c962fcc10c
commit eea59927f8
4 changed files with 19 additions and 4 deletions
--- a/php/public/index.php
+++ b/php/public/index.php
@@ -128,6 +128,7 @@ $app->get('/containers', function (Request $request, Response $response, array $
    $bypass_mastercontainer_update = isset($params['bypass_mastercontainer_update']);
    $bypass_container_update = isset($params['bypass_container_update']);
    $skip_domain_validation = isset($params['skip_domain_validation']);
+    $skip_cosign_check = isset($params['skip_cosign_check']);

    return $view->render($response, 'containers.twig', [
        'domain' => $configurationManager->domain,
@@ -180,6 +181,7 @@ $app->get('/containers', function (Request $request, Response $response, array $
        'community_containers' => $configurationManager->listAvailableCommunityContainers(),
        'community_containers_enabled' => $configurationManager->aioCommunityContainers,
        'bypass_container_update' => $bypass_container_update,
+        'skip_cosign_check' => $skip_cosign_check,
    ]);
 })->setName('profile');
 $app->get('/login', function (Request $request, Response $response, array $args) use ($container) {
--- a/php/src/Controller/DockerController.php
+++ b/php/src/Controller/DockerController.php
@@ -273,15 +273,18 @@ readonly class DockerController {
        $nonbufResp = $this->startStreamingResponse($response);
        $addToStreamingResponseBody = $this->getAddToStreamingResponseBody($nonbufResp);

-        $this->startWatchtower($addToStreamingResponseBody);
+        // Allow temporarily skipping the cosign check via a POST body parameter
+        $skipCosignCheck = isset($request->getParsedBody()['skip_cosign_check']);
+
+        $this->startWatchtower($addToStreamingResponseBody, $skipCosignCheck);

        // End streaming response
        $this->finalizeStreamingResponse($nonbufResp);
        return $nonbufResp;
    }

-    public function startWatchtower(?\Closure $addToStreamingResponseBody = null) : void {
-        $this->dockerActionManager->verifyMastercontainerImageSignature();
+    public function startWatchtower(?\Closure $addToStreamingResponseBody = null, bool $skipCosignCheck = false) : void {
+        $this->dockerActionManager->verifyMastercontainerImageSignature($skipCosignCheck);
        $id = 'nextcloud-aio-watchtower';

        $this->PerformRecursiveContainerStart($id, true, $addToStreamingResponseBody);
--- a/php/src/Docker/DockerActionManager.php
+++ b/php/src/Docker/DockerActionManager.php
@@ -601,7 +601,11 @@ readonly class DockerActionManager {
        }
    }

-    public function verifyMastercontainerImageSignature(): void {
+    public function verifyMastercontainerImageSignature(bool $skipCosignCheck = false): void {
+        if ($skipCosignCheck) {
+            error_log('WARNING: Skipping cosign signature verification for mastercontainer image. This should only be done temporarily.');
+            return;
+        }
        $imageName = $this->GetCurrentImageName() . ':' . $this->GetCurrentChannel();
        $this->verifyImageSignature($imageName);
    }
--- a/php/templates/containers.twig
+++ b/php/templates/containers.twig
@@ -93,6 +93,9 @@
                        <form method="POST" action="api/docker/watchtower" target="overlay-log">
                            <input type="hidden" name="{{csrf.keys.name}}" value="{{csrf.name}}">
                            <input type="hidden" name="{{csrf.keys.value}}" value="{{csrf.value}}">
+                            {% if skip_cosign_check == true %}
+                                <input type="hidden" name="skip_cosign_check" value="true">
+                            {% endif %}
                            <input type="submit" value="Update mastercontainer" />
                        </form>
                    {% else %}
@@ -335,6 +338,9 @@
                                <form method="POST" action="api/docker/watchtower" target="overlay-log">
                                    <input type="hidden" name="{{csrf.keys.name}}" value="{{csrf.name}}">
                                    <input type="hidden" name="{{csrf.keys.value}}" value="{{csrf.value}}">
+                                    {% if skip_cosign_check == true %}
+                                        <input type="hidden" name="skip_cosign_check" value="true">
+                                    {% endif %}
                                    <input type="submit" value="Update mastercontainer" />
                                </form>
                            {% else %}