From 719eaf0e48a920836f8bd0526064e8d9c143d04a Mon Sep 17 00:00:00 2001
From: Vitor Mattos <1079143+vitormattos@users.noreply.github.com>
Date: Thu, 5 Feb 2026 13:25:11 -0300
Subject: [PATCH 1/2] fix: add chmod to ensure appinfo directory is writable
 during signing

The occ integrity:sign-app command needs write access to the appinfo
directory to create signature.json. This adds chmod -R a+w after copying
appinfo to ensure the directory is writable regardless of file ownership.

Signed-off-by: Vitor Mattos <1079143+vitormattos@users.noreply.github.com>
---
 Makefile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/Makefile b/Makefile
index a077f5b068..6a147676d5 100644
--- a/Makefile
+++ b/Makefile
@@ -155,6 +155,7 @@ appstore:
 			--privateKey=$(cert_dir)/$(app_name).key \
 			--certificate=$(cert_dir)/$(app_name).crt; \
 		cp -r appinfo $(appstore_sign_dir)/$(app_name); \
+		chmod -R a+w $(appstore_sign_dir)/$(app_name); \
 		echo "Signing app files…"; \
 		$(occ) integrity:sign-app \
 			--privateKey=$(cert_dir)/$(app_name).key\

From b888cabe8f0a7e60d44e0d67963b247ae9bfa72b Mon Sep 17 00:00:00 2001
From: Vitor Mattos <1079143+vitormattos@users.noreply.github.com>
Date: Thu, 5 Feb 2026 13:25:28 -0300
Subject: [PATCH 2/2] fix: remove duplicate signing step that corrupts app
 signature

The 'Sign app' step was re-signing an already signed tarball created
by the Makefile. This caused signature validation failures on the
Nextcloud Appstore API because:

1. Makefile correctly signs at build/artifacts/sign/libresign
2. Duplicate step extracted, re-signed at wrong path, and recreated tarball
3. This corrupted the original valid signature
4. API rejected with 'invalid padding' or 'bad signature' errors

The Makefile already handles all signing correctly:
- Downloads certificate from GitHub
- Signs setup files with libresign:developer:sign-setup
- Signs app files with occ integrity:sign-app
- Creates properly signed tarball

Removing this redundant step fixes nightly releases not appearing
on apps.nextcloud.com.

Signed-off-by: Vitor Mattos <1079143+vitormattos@users.noreply.github.com>
---
 .github/workflows/nightly-release.yml | 15 ---------------
 1 file changed, 15 deletions(-)

diff --git a/.github/workflows/nightly-release.yml b/.github/workflows/nightly-release.yml
index f1048af69a..2c649f9240 100644
--- a/.github/workflows/nightly-release.yml
+++ b/.github/workflows/nightly-release.yml
@@ -160,21 +160,6 @@ jobs:
           echo '${{ secrets.APP_PRIVATE_KEY }}' > build/tools/certificates/${{ env.APP_NAME }}.key
           make appstore
 
-      - name: Sign app
-        run: |
-          # Extracting release
-          cd ${{ env.APP_NAME }}/build/artifacts
-          tar -xvf ${{ env.APP_NAME }}.tar.gz
-          cd ../../../
-          # Setting up keys
-          echo '${{ secrets.APP_PRIVATE_KEY }}' > ${{ env.APP_NAME }}.key
-          wget --quiet "https://github.com/nextcloud/app-certificate-requests/raw/master/${{ env.APP_NAME }}/${{ env.APP_NAME }}.crt"
-          # Signing
-          php nextcloud/occ integrity:sign-app --privateKey=../${{ env.APP_NAME }}.key --certificate=../${{ env.APP_NAME }}.crt --path=../${{ env.APP_NAME }}/build/artifacts/${{ env.APP_NAME }}
-          # Rebuilding archive
-          cd ${{ env.APP_NAME }}/build/artifacts
-          tar -zcvf ${{ env.APP_NAME }}.tar.gz ${{ env.APP_NAME }}
-
       - name: Extract version and create tag
         id: version
         run: |