Core: "Bad Signature" error after activating encryption
Steps to reproduce
- Fresh and clean installation with one user (admin) and some files
- Activation of Default encryption module
- sudo -u www-data ./occ encryption:enable && sudo -u www-data ./occ encryption:encrypt-all
- login to web gui and change onetime password to login password.
- all files respond with "Bad Signature" error when opened from web gui
Expected behaviour
Unencrypted version of file should be shown (incl. thumbs for images).
Actual behaviour
Every file returns "Bad Signature" error
Server configuration
Operating system: Ubuntu 12.04
Web server: nginx 1.8.1
Database: MySQL 5.6.24
PHP version:: 5.6.18 (as fpm)
ownCloud version: 9.0.0
Updated from an older ownCloud or fresh install: first updated version, then fresh install聽鈥斅燽ehaviour is the same each time
Where did you install ownCloud from: zip file
Signing status (ownCloud 9.0 and above):
no errors have been found
List of activated apps:
Enabled:
- activity: 2.2.1
- calendar: 1.0
- comments: 0.2
- contacts: 1.0.0.0
- dav: 0.1.5
- documents: 0.12.0
- encryption: 1.2.0
- federatedfilesharing: 0.1.0
- federation: 0.0.4
- files: 1.4.4
- files_external: 0.5.2
- files_pdfviewer: 0.8
- files_sharing: 0.9.1
- files_texteditor: 2.1
- files_trashbin: 0.8.0
- files_versions: 1.2.0
- files_videoplayer: 0.9.8
- firstrunwizard: 1.1
- gallery: 14.5.0
- notifications: 0.2.3
- provisioning_api: 0.4.1
- systemtags: 0.2
- templateeditor: 0.1
- updatenotification: 0.1.0
Disabled:
- external
- user_external
- user_ldap
The content of config/config.php:
{
"system": {
"instanceid": "ocn14w2k7nyz",
"passwordsalt": "***REMOVED SENSITIVE VALUE***",
"secret": "***REMOVED SENSITIVE VALUE***",
"trusted_domains": [
"octest.betaserv.net"
],
"datadirectory": "\/opt\/owncloud_test\/owncloud-9.0.0\/data",
"overwrite.cli.url": "***REMOVED SENSITIVE VALUE***",
"dbtype": "mysql",
"version": "9.0.0.19",
"dbname": "owncloud_test",
"dbhost": "localhost",
"dbtableprefix": "oc_",
"dbuser": "***REMOVED SENSITIVE VALUE***",
"dbpassword": "***REMOVED SENSITIVE VALUE***",
"logtimezone": "UTC",
"installed": true,
"singleuser": false
},
"apps": {
"activity": {
"enabled": "yes",
"installed_version": "2.2.1",
"types": "filesystem"
},
"backgroundjob": {
"lastjob": "3"
},
"calendar": {
"enabled": "yes",
"installed_version": "1.0",
"ocsid": "168707",
"types": ""
},
"comments": {
"enabled": "yes",
"installed_version": "0.2",
"types": "logging"
},
"contacts": {
"enabled": "yes",
"installed_version": "1.0.0.0",
"ocsid": "168708",
"types": ""
},
"core": {
"backgroundjobs_mode": "cron",
"default_encryption_module": "OC_DEFAULT_MODULE",
"encryption_enabled": "yes",
"installedat": "1457604591.9412",
"lastcron": "1457605168",
"lastupdateResult": "{\"version\":{},\"versionstring\":{},\"url\":{},\"web\":{}}",
"lastupdatedat": "1457606398",
"oc.integritycheck.checker": "[]",
"public_documents": "documents\/public.php",
"public_files": "files_sharing\/public.php",
"public_webdav": "dav\/appinfo\/v1\/publicwebdav.php",
"remote_caldav": "dav\/appinfo\/v1\/caldav.php",
"remote_calendar": "dav\/appinfo\/v1\/caldav.php",
"remote_carddav": "dav\/appinfo\/v1\/carddav.php",
"remote_contacts": "dav\/appinfo\/v1\/carddav.php",
"remote_dav": "dav\/appinfo\/v2\/remote.php",
"remote_files": "dav\/appinfo\/v1\/webdav.php",
"remote_webdav": "dav\/appinfo\/v1\/webdav.php"
},
"dav": {
"enabled": "yes",
"installed_version": "0.1.5",
"types": "filesystem"
},
"documents": {
"enabled": "yes",
"installed_version": "0.12.0",
"ocsid": "168711",
"types": ""
},
"encryption": {
"enabled": "yes",
"installed_version": "1.2.0",
"masterKeyId": "master_11425f2a",
"publicShareKeyId": "pubShare_11425f2a",
"recoveryKeyId": "recoveryKey_11425f2a",
"types": "filesystem"
},
"federatedfilesharing": {
"enabled": "yes",
"installed_version": "0.1.0",
"types": ""
},
"federation": {
"enabled": "yes",
"installed_version": "0.0.4",
"types": "authentication"
},
"files": {
"cronjob_scan_files": "500",
"enabled": "yes",
"installed_version": "1.4.4",
"types": "filesystem"
},
"files_external": {
"enabled": "yes",
"installed_version": "0.5.2",
"ocsid": "166048",
"types": "filesystem"
},
"files_pdfviewer": {
"enabled": "yes",
"installed_version": "0.8",
"ocsid": "166049",
"types": ""
},
"files_sharing": {
"enabled": "yes",
"installed_version": "0.9.1",
"types": "filesystem"
},
"files_texteditor": {
"enabled": "yes",
"installed_version": "2.1",
"ocsid": "166051",
"types": ""
},
"files_trashbin": {
"enabled": "yes",
"installed_version": "0.8.0",
"types": "filesystem"
},
"files_versions": {
"enabled": "yes",
"installed_version": "1.2.0",
"types": "filesystem"
},
"files_videoplayer": {
"enabled": "yes",
"installed_version": "0.9.8",
"types": ""
},
"firstrunwizard": {
"enabled": "yes",
"installed_version": "1.1",
"ocsid": "166055",
"types": ""
},
"gallery": {
"enabled": "yes",
"installed_version": "14.5.0",
"types": ""
},
"notifications": {
"enabled": "yes",
"installed_version": "0.2.3",
"types": "logging"
},
"provisioning_api": {
"enabled": "yes",
"installed_version": "0.4.1",
"types": "prevent_group_restriction"
},
"systemtags": {
"enabled": "yes",
"installed_version": "0.2",
"types": "logging"
},
"templateeditor": {
"enabled": "yes",
"installed_version": "0.1",
"types": ""
},
"updatenotification": {
"enabled": "yes",
"installed_version": "0.1.0",
"types": ""
}
}
}
Are you using external storage, if yes which one: no
Are you using encryption: yes (at least kind of...)
Are you using an external user-backend, if yes which one: no
Client configuration
Browser: Chrome 49
Operating system: OSX 10.11.3
mmaedler
All 8 comments
I'll take a look.
LukasReschke
on 10 Mar 2016
A potential fix for this can be found at https://github.com/owncloud/core/pull/23108. I tested it locally given your steps and did some smoke testing and everything seemed to pass.
@mmaedler It would be utmost appreciated if you could retest your steps with this branch applied. It won't get back your old testing data but at least all new one should be there.
In case anybody stumbles upon this with real life data, there is this trick that should make the data accessible again:
- Get all storage IDs
SELECT numeric_id FROM oc_storages where id LIKE "home::%%"; UPDATE oc_filecache SET encrypted = 1 WHERE encrypted = 0 AND storage = ?;, replace?with the storage IDs from 1.- Delete thumbnails
If you can afford I'd however recommend to restore a backup and retry with the patch applied. Way more reliable.
Thanks a lot for reporting this bug back to us and sorry for the hassle!
LukasReschke
on 10 Mar 2016
Good morning! I went through setting up a fresh installation again, applied the patch, uploaded the same test data like yesterday and now it works :)
Thanks for fixing this so quickly!
One more question: As I am now getting a notification that the integrity check fails (obviously) I want to wait with updating my production environment until the change made it into a release. Do you have an ETA when that will be available?
Also one comment on the interface to change the temp key to the login password again. I think it is not really made clear by the form labels (at least not in the german version) where to put the temp key and where to put the login password. At least the labeling didn't make me feel comfortable that I had chosen the right content for the right field. Maybe it can be made more clearly if the first field is labelled with something like "Temporary Key (you received from your Admin)" or "Tempor盲rer Schl眉ssel (von deinem Admin)"?
Thanks again!
mmaedler
on 11 Mar 2016
PVince81
on 14 Mar 2016
Thanks @PVince81! As I really want to get going on the new version and beginning of April still feels ages away, is there a way to update the file expected signature value to match the changes and prevent the notification from showing up?
mmaedler
on 15 Mar 2016
@LukasReschke ^
PVince81
on 15 Mar 2016
Thanks @PVince81! As I really want to get going on the new version and beginning of April still feels ages away, is there a way to update the file expected signature value to match the changes and prevent the notification from showing up?
Option 1: Change https://github.com/owncloud/core/blob/f8180579d03fcd10ab8f92f1ecb27899436c7653/version.php#L36-L37 to git. Once 9.0.1 is there replace everything with 9.0.1 again.
Option 2: You could install the daily from https://download.owncloud.org/community/owncloud-daily-stable9.tar.bz2 which is properly signed. This requires however that the PR is first merged into stable9, which it is not yet.
Option 3: Ignore the warning. Only admins will see it :wink:
LukasReschke
on 15 Mar 2016
To do a bulk fix, I used this Mysql query:
update oc_filecache set encrypted = 1 where storage = '1' AND encrypted=0 AND mimetype != '2' and PATH LIKE "files/%"
(mimetype 2 are directories)
All my files except versioned files then started to get decrypted again just fine.
To also make versioned files work again, I then had to disable signature check as mentioned by:
@suntorytimed here: https://github.com/nextcloud/server/issues/3958
It's quite a mess! Can someone confirm in which version this is being fixed? and which steps I have now to do from this state? At which version I can safely run occ encrypt:decrypt-all again?
Thanks,
Andy
akalypse
on 20 Sep 2018
Related issues
stephan-l
路
64Comments
hoerup
路
59Comments
sonanchenko
路
81Comments
bonanza123
路
81Comments
Revisor01
路
205Comments
Most helpful comment
A potential fix for this can be found at https://github.com/owncloud/core/pull/23108. I tested it locally given your steps and did some smoke testing and everything seemed to pass.
@mmaedler It would be utmost appreciated if you could retest your steps with this branch applied. It won't get back your old testing data but at least all new one should be there.
In case anybody stumbles upon this with real life data, there is this trick that should make the data accessible again:
SELECT numeric_id FROM oc_storages where id LIKE "home::%%";UPDATE oc_filecache SET encrypted = 1 WHERE encrypted = 0 AND storage = ?;, replace?with the storage IDs from 1.If you can afford I'd however recommend to restore a backup and retry with the patch applied. Way more reliable.
Thanks a lot for reporting this bug back to us and sorry for the hassle!