QNAP, bliss and digital certificates
February 24, 2022 in bliss by Dan Gravell
We recently had a few reports from people using bliss to manage a music collection on their QNAP device. They reported that recent updates to QNAP firmware caused error messages to be shown related to digital certificates, and bliss may not be started automatically.
The first step to fixing the problem is getting a reproducible example, so I updated our test QNAP NAS (a TS-251) to the latest firmware to see the problem for myself.
What’s with the changes?
QNAP have been badly hit by the Deadbolt ransomware attack. Infected machines are taken over by a hacker that seeks to extract a ransom to return the NAS and its contents back to the owner on payment of a ransom.
QNAP have released changes to the the firmware and underlying OS of their NAS devices to reduce vulnerabilities. Recent changes in these firmware releases have affected third party apps, such as bliss.
Make no mistake: it’s best practice that you install these updates, even if you don’t make your device vulnerable by opening them to the outside world.
What’s the effect on bliss?
As I mentioned above, I decided replicating the problem was the best way forward.
On my TS-215 I updated to QTS version 5.0.0.1932 (2022/01/29). After the upgrade, I got a notification (actually, I got a lot of notifications about lots of apps affected, but I’m only interested in bliss here):
bliss has an invalid digital signature. The app has stopped and cannot be installed on QTS. You can remove it in the AppCenter.
In App Center the bliss app appears disabled and with a warning:
Clicking the app gives the message:
There is no digital signature.
Prior to this, bliss was configured to start automatically. QNAP appear to have taken the decision to stop any app starting automatically without a digital signature, at least the first time the device is rebooted after upgrade and until the app has been restarted manually.
When Start is clicked, the app is launched. However, in my case there was another error:
/share/CACHEDEV1_DATA/.qpkg/bliss/bin/bliss.sh: line 47: exec: java: not found
Clearly, Java appears to have disappeared. In AppCenter the Java app was marked as requiring update. So I clicked the Update button in AppCenter to update Java.
After that, clicking Start on the bliss app does run bliss successfully, albeit with the digital signature warning still displayed.
Installing bliss
However, while existing installations of bliss appear to still be runnable, new versions of bliss cannot be installed from the .qpkg
file. Another error message related to digital signatures is shown:
Failed to install bliss. The digital signature is invalid.
The message suggests the remedy:
To proceed with installation, go to App Center > Settings > General, and then select “Allow installation of applications without a valid digital signature”.
Following the instructions works out fine:
Following this option being clicked, bliss can be installed from the .qpkg
file. However you will get a nag screen asking you to re-affirm that you “understand the risks” of installing an app without the digital signature.
bliss should then install as normal, and you should be able to run it.
Why doesn’t bliss have a digital signature?
On other platforms, such as Windows and macOS, we provide signatures with bliss to increase trust that the app you are running is the one we have created. Signatures are a way of validating that the app has not been tampered with.
For QNAP, however, the app must be featured inside the official app repository to allow a digital signature to be applied.
Up to now, it appears to be quite an effort to get the bliss app featured inside the repository. We will re-appraise whether this is something we want to do.
Let’s leave this article as a “working document”. I’m still getting reports about this through, and in the past QNAP firmware updates have been “works in progress” so there may be more developments. Let me know if you have something to add!