Skip to content

Commit 3302ee3

Browse files
aSoftwareByDesignRepositoryaSoftwareByDesignRepository
committed
docs(security): remove hardcoded local cert paths and harden ignore rules
Replaces explicit local certificate path examples with environment-variable based references and ignores local key/cert material to reduce accidental leaks in the public repository. Made-with: Cursor
1 parent be477f7 commit 3302ee3

2 files changed

Lines changed: 14 additions & 4 deletions

File tree

.gitignore

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -23,6 +23,15 @@ Thumbs.db
2323
*.log
2424
server.log
2525

26+
# Local certificate/key material (never commit)
27+
*.key
28+
*.crt
29+
*.pem
30+
*.p12
31+
*.pfx
32+
*.cer
33+
.nextcloud/
34+
2635
# Nextcloud specific
2736
data/
2837
config/config.php

release/APPSTORE-RELEASE.md

Lines changed: 5 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -9,7 +9,7 @@ Replace `X.Y.Z` with the real version (e.g. `1.1.6`).
99
## 0. Prerequisites
1010

1111
- Registered app and **developer certificate** from Nextcloud (private key on your machine).
12-
- Default key path used below: `~/.nextcloud/certificates/arbeitszeitcheck.key` (same basename as app id).
12+
- Export local key/cert paths in your shell before signing (for example `APP_CERT_KEY_PATH` and `APP_CERT_CRT_PATH`).
1313
- This monorepo: build the tarball from **`apps/`** so the archive root is `arbeitszeitcheck/`.
1414

1515
---
@@ -45,8 +45,9 @@ APPID=arbeitszeitcheck
4545
CONTAINER=nextcloud-app
4646

4747
# 1) Copy key material into container tmp
48-
docker cp "$HOME/.nextcloud/certificates/${APPID}.key" "${CONTAINER}:/tmp/${APPID}.key"
49-
docker cp "$HOME/.nextcloud/certificates/${APPID}.crt" "${CONTAINER}:/tmp/${APPID}.crt"
48+
# Set APP_CERT_KEY_PATH and APP_CERT_CRT_PATH in your shell first.
49+
docker cp "${APP_CERT_KEY_PATH}" "${CONTAINER}:/tmp/${APPID}.key"
50+
docker cp "${APP_CERT_CRT_PATH}" "${CONTAINER}:/tmp/${APPID}.crt"
5051
docker exec "${CONTAINER}" sh -lc "chown www-data:www-data /tmp/${APPID}.key /tmp/${APPID}.crt && chmod 600 /tmp/${APPID}.key && chmod 644 /tmp/${APPID}.crt"
5152

5253
# 2) Sign extracted archive payload with occ (as www-data), repack to /tmp
@@ -137,7 +138,7 @@ The store expects a **base64-encoded** RSA signature over the **exact** `.tar.gz
137138
**One line** (copy output into the store’s signature field):
138139

139140
```bash
140-
openssl dgst -sha512 -sign ~/.nextcloud/certificates/arbeitszeitcheck.key \
141+
openssl dgst -sha512 -sign "${APP_CERT_KEY_PATH}" \
141142
"arbeitszeitcheck-${VERSION}.tar.gz" | openssl base64 | tr -d '\n'
142143
```
143144

0 commit comments

Comments
 (0)