Core: exempt files from integrity check

This is not something that we will do. If somebody tampers with ownCloud they can either disable code signing ('integrity.check.disabled' => true) or live with the error message. It will only appear for admins anyways.

Code signing is a significant advantage to us to realize whether somebody tampered with ownCloud, quite important when debugging issue :wink:

@LukasReschke At least for the .htaccess and the .user.ini this should be made possible as oC itself is writing into them to raise the upload limits via the WebGUI.

@LukasReschke At least for the .htaccess and the .user.ini this should be made possible as oC itself is writing into them to raise the upload limits via the WebGUI.

From my PoV this situation should not happen. When somebody updates oC they have to replace the old .htaccess which sets it back to the default. Once the update is run the integrity has been verified => Code check is passing.

After it is running they can do any modification they want without triggering this check. So this smells more like for me: Didn't replace the .htaccess which is required anyways

Ah, ok. Thanks for the info!

If somebody tampers with ownCloud they can either disable code signing ('integrity.check.disabled' => true) or live with the error message. I

Btw. seems thats not documented within the config.sample.php

Is this valid for oC 9.0?

Btw. seems thats not documented within the config.sample.php
Is this valid for oC 9.0?

Yes. But I don't want to advocate telling people to disable it.

They should fix their environment or live with the warning. Only admins see it anyways :smile:

ok, but if i just want to return to the original file and want do recheck those. how to do that?
-> i get that message from a "fresh" installation (just inserted my config.php and the Datafolder (which is external..)

ok, just the moment i found it... admin panel right behind the message...... there is a link..

Guys, exempting files is a good idea. At least if you have a bunch of 'external sites' with custom icons you've just dropped into your owncloud installation, code signing checker will nag you. And if you are roughly the only user of your own OC the nag message becomes very annoying, and 'fcourse you don't want to diasble code checking completely. Just throwing my two cents in ;)

@nekromant The issue with the external sites is tracked here: https://github.com/owncloud/apps/issues/2154

I agree there should be some solution. A registration of a modified file to the signature file would do.

As someone who is forced to modify my .htaccess file due to the host, and because I have added files for admin purposes (phpinfo, a backup script that is triggered via browser), the ability to exclude or at least approve specific files would be extremely useful. As of right now, the warning banner is an annoyance, and not actually a warning I will heed.

@GJSchaller You can follow https://github.com/owncloud/core/issues/23186 no see if this gets implemented. The guy said "we won't do this" in here is now at Nextcloud so the changes are higher that some one is picking this up for ownCloud here.

LetsEncrypt SSL requires a file for authentication so creates the folder and file .well-known/acme-challenge/.htaccess. This is failing the ownCloud Integrity check. We cannot remove this folder and file as its required for SSL renewals, so it needs to be ignored.

I think there's good arguments for exempting certain directories from the integrity check. Let's Encrypt being one excellent example.

The integrity check is worth having, but if it's going to "cry wolf", it's useless.

@VicDeo can we also exclude ".well-known" folder by default ?

It's annoying. We need .htaccess, php.ini, error_log, .well-known, .user.ini and several system files that are not allowed. Please, let us exclude files because this error is annoying and stupid.

this is configurable, see https://github.com/owncloud/core/blob/stable10/config/config.sample.php#L1236