chore: update cosign

Nextcloud now prevents loading external entities by using libxml_set_external_entity_loader.

ref:
https://github.com/nextcloud/server/pull/39490
https://github.com/hoellen/docker-nextcloud/issues/42

.github/workflows/build.yml

@@ -3,7 +3,7 @@ name: build
 on:
   workflow_dispatch:
   push:
-    branches: [ master ]
+    branches: [ version-26 ]
   schedule:
     # Build the image regularly (each Friday)
     - cron: '23 04 * * 5'
@@ -34,7 +34,7 @@ jobs:
         if: github.event_name != 'pull_request'
         uses: sigstore/cosign-installer@main
         with:
-          cosign-release: 'v1.13.1'
+          cosign-release: 'v2.2.2'
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v1
@@ -53,7 +53,6 @@ jobs:
         with:
           images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
           tags: |
-            latest
             ${{ env.FULL_VERSION }}
             ${{ env.MAJOR_VERSION }}
 
@@ -70,4 +69,4 @@ jobs:
         if: ${{ github.event_name != 'pull_request' }}
         env:
           COSIGN_EXPERIMENTAL: "true"
-        run: cosign sign ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build-and-push.outputs.digest }}
+        run: cosign sign --yes ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build-and-push.outputs.digest }}

Dockerfile

@@ -1,17 +1,17 @@
 # -------------- Build-time variables --------------
-ARG NEXTCLOUD_VERSION=28.0.0
+ARG NEXTCLOUD_VERSION=26.0.13
-ARG PHP_VERSION=8.2
+ARG PHP_VERSION=8.1
 ARG NGINX_VERSION=1.24
 
-ARG ALPINE_VERSION=3.18
+ARG ALPINE_VERSION=3.17
 ARG HARDENED_MALLOC_VERSION=11
-ARG SNUFFLEUPAGUS_VERSION=0.10.0
+ARG SNUFFLEUPAGUS_VERSION=0.9.0
 
 ARG UID=1000
 ARG GID=1000
 
-# nextcloud-28.0.0.tar.bz2
+# nextcloud-26.0.13.tar.bz2
-ARG SHA256_SUM="4e8b0b74b40221e85f92ab869d0873c69a52d7e43889d9259c6259428a6a36f2"
+ARG SHA256_SUM="0a362df7a1233348f99d1853fd7e79f0667b552c145dc45012fab54ac31c79ae"
 
 # Nextcloud Security <security@nextcloud.com> (D75899B9A724937A)
 ARG GPG_FINGERPRINT="2880 6A87 8AE4 23A2 8372  792E D758 99B9 A724 937A"
@@ -58,7 +58,6 @@ RUN apk -U upgrade \
         bcmath \
         exif \
         gd \
-        bz2 \
         intl \
         ldap \
         opcache \

README.md

@@ -58,8 +58,8 @@ Verifying the signature isn't a requirement, and might not be as seamless as usi
 ## Tags
 
 - `latest` : latest Nextcloud version
-- `x` : latest Nextcloud x.x (e.g. `28`)
+- `x` : latest Nextcloud x.x (e.g. `25`)
-- `x.x.x` : Nextcloud x.x.x (e.g. `28.0.0`)
+- `x.x.x` : Nextcloud x.x.x (e.g. `25.0.0`)
 
 You can always have a glance [here](https://github.com/users/hoellen/packages/container/package/nextcloud).
 Only the **latest stable version** will be maintained by myself.

SECURITY.md

@@ -7,16 +7,12 @@ and will receive the minor version updates and security patches.
 
 | Version | Supported          |
 | ------- | ------------------ |
-| 28. x   | :white_check_mark: |
+| 25. x   | :white_check_mark: |
-| 27. x   | :white_check_mark: |
+| 24. x   | :white_check_mark: |
-| 26. x   | :white_check_mark: |
-| 25. x   | :negative_squared_cross_mark: |
-| 24. x   | :negative_squared_cross_mark: |
 | 23. x   | :negative_squared_cross_mark: |
 | 22. x   | :negative_squared_cross_mark: |
 
 Please update to the latest version available. Major migrations are always tested before being pushed.
-An up-to-date list of the currently maintained Nextcloud versions can also be found in the [Nextcloud Repository Wiki](https://github.com/nextcloud/server/wiki/Maintenance-and-Release-Schedule).
 
 ## Automated vulnerability scanning
 

rootfs/etc/nginx/conf.d/default.conf

@@ -49,7 +49,7 @@ server {
             return 404;
         }
 
-        location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|ocs-provider\/.+|.+\/richdocumentscode\/proxy)\.php(?:$|\/) {
+        location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) {
             include /etc/nginx/fastcgi_params;
             fastcgi_split_path_info ^(.+\.php)(/.*)$;
             fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
@@ -62,7 +62,7 @@ server {
             fastcgi_read_timeout 1200;
         }
 
-        location ~ ^\/(?:updater|ocs-provider)(?:$|\/) {
+        location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) {
             try_files $uri/ =404;
             index index.php;
         }

rootfs/usr/local/etc/php/snuffleupagus/nextcloud-php8.rules

@@ -47,10 +47,6 @@ sp.disable_function.function("ini_get").param("option").value("open_basedir").fi
 sp.disable_function.function("ini_get").param("option").value("allow_url_fopen").filename("/nextcloud/3rdparty/guzzlehttp/guzzle/src/Utils.php").allow();
 sp.disable_function.function("exec").param("command").value("apachectl -M | grep mpm").filename("/nextcloud/apps2/spreed/lib/Settings/Admin/AdminSettings.php").allow();
 
-# Nextcloud inherently enables XXE-Protection since 27.0.1, therefore, drop setting a new external entity loader
-sp.disable_function.function("libxml_set_external_entity_loader").filename("/nextcloud/lib/base.php").allow(); 
-sp.disable_function.function("libxml_set_external_entity_loader").drop(); 
-
 # Harden the `chmod` function (0777 (oct = 511, 0666 = 438)
 sp.disable_function.function("chmod").param("permissions").value("438").drop();
 sp.disable_function.function("chmod").param("permissions").value("511").drop();