Element-web: Cross-signing verification of a remote user is incomplete

I created this issue and sent debug logs as requested by @bwindels in here https://github.com/vector-im/riot-web/issues/13204

Thank you for all your work. I like very much matrix and can't wait to be able to use it very smoothly with all my relatives. It's everyday better and better. This cross-signing is really great!

Today I updated my RiotX (v0.20) on my android and something funny is occurring in there (on v0.19, it was all black)

Still

but if I click on him

His shield is green in here.....
Why is it not green on other screen then?

Thanks for the report @Thatoo. Could you please try upgrading your synapse to 1.13.0, and verifying again? To see if you're hitting https://github.com/matrix-org/synapse/issues/7177 ...

Ok, I'll do that as soon as https://github.com/YunoHost-Apps/synapse_ynh merge in Master and I can do the update. I'll keep you informed.
Thank you.

I have exactly the same problem. I verified a remote user. He sees me as completely green but I only get a green icon for his "Desktop" device, not for the other 3.

I'm already on Synapse 1.13.0 (Arch Linux). Will update to 1.14.0 when it is available in the repo.

Can I provide any diagnostics that could be helpful for you?

This is still occurring with un-federated Matrix Synapse v1.14.0 on a self-hosted riot web client v1.6.2. Let me know if I can provide any info. The other person has one mobile session, which I verified from my web client. Their shield is still black and still gives the option to verify, but clicking the "1 session" under their user sidebar expands to show the session is already verified. Still, I can click the verify button. Rooms they are in also show the black shield.

Not sure if it is relevant, but when they tried to start a DM with me before verifying, it opened two DM rooms for them, and when I tried to leave the one I hadn't talked in by clicking it on the sidebar and choosing "Leave" I actually left the other one instead. Also they set a profile picture, but it doesn't show up at all unless I click their default colored letter profile image, which brings up the full size version of the uploaded image.

I should note that they are the only user on my server so far using the mobile client, except for me. (And we haven't attempted any verifications with mine.) The other users are using web or desktop client, and not showing this issue on my end when I verify them from the web client.

I do not know the exact version of the other user's mobile app, but it was installed some time in the last two weeks.

Edit: I got the same thing on riot-web a second time manually/text verifying another mobile user who joined. Not the multiple rooms, or the profile image issue (yet), but the shield being black despite me verifying from my end. (This one was offline when I verified them, if that matters. And, the verification for this user, and possibly the last user are from my end only so far.)

Also, currently I have a riot-web session and a mobile session, and I have only verified these two users from my riot-web session. But, other users I verified only from my riot-web session who are not on mobile sessions have green shields.

my server is federated though. I mean the problem occur between me (on self-hosted synapse) and one user on matrix.org. I didn't update yet to v1.13.0 but will do asap when it releases on yunohost.

my server is federated though. I mean the problem occur between me (on self-hosted synapse) and one user on matrix.org. I didn't update yet to v1.13.0 but will do asap when it releases on yunohost.

Well, that probably just rules out federation vs non-federation as a factor in the issue.

Submitted my debug logs, cross-signing verifications also fail between my matrix.org account and my other account hosted on modular.im.

I have updated synapse to v 1.14 and Riot-desktop to v 1.6.5 and RiotX to v 0.22, the problem is remaining.
We try verifying each other but it doesn't end with a green shield for him on my screen whereas my shield appear green on his screen.
I say I and him but it is the same for all users of my self-hosted synapse server trying to verify matrix.org sever's users...

We are federated. We can talk, exchange files, call each other, explore rooms in other server without problem. Only verification isn't working fully properly...

I had a quick at the rageshakes posted here earlier, and it looks like a missing/outdated master signing key... So there could potentially still be an issue with synapse device syncing. Could you rageshake your recent attempt again please @Thatoo after having updated synapse?

I was just having this issue and this fixed it.

I had verified all of the users sessions, but they still had a black shield.

• I had the other user verify all of their own sessions, which forced them to enable cross-signing.

• Then i told them check they had verified all of my sessions. And if not, verify them.

• Then to verify me as a user.

When they did, the green shield appeared and is present throughout all rooms that user is in.

I had a quick at the rageshakes posted here earlier, and it looks like a missing/outdated master signing key... So there could potentially still be an issue with synapse device syncing. Could you rageshake your recent attempt again please @Thatoo after having updated synapse?

I've just done it, after updating our both Riot-desktop to v 1.6.6.

I was just having this issue and this fixed it.

I had verified all of the users sessions, but they still had a black shield.

* I had the other user verify all of their own sessions, which forced them to enable cross-signing.

Done!
* Then i told them check they had verified all of my sessions. And if not, verify them.
Done!
* Then to verify me as a user.
Done! Well, I have to initiate the verification. He can't initiate the verification anymore as my shield is green for him and he doesn't have the option to verify me anymore.

When they did, the green shield appeared and is present throughout all rooms that user is in.

My shield for him is green and all room where me and other users of my self-hosted synapse that he verified are green but on screen of users of my self hosted synapse server, even after all verification possible his shield (his account is on matrix.org) remain black and all our room are black.

One solution would be that he migrates to our self hosted server or that we migrate to matrix.org but I guess that's not very satisfying....
Let me know how I can help. Maybe he should "unverify us" for us to be able to reinitiate a proper verification... How can someone unverify someone else?

Maybe he should "unverify us" for us to be able to reinitiate a proper verification... How can someone unverify someone else?

Unfortunately, there's no way currently to unverify a single person. The only "undo-style" option at the moment is to reset your entire cross-signing identity in Settings, which clears all verifications you've done.

@Thatoo Your recent debug log suggests you updated to Synpase 1.14, but the latest version is 1.15.1, which contains some device list fixes which might be relevant for this problem. Can you try updating to that?

I will, as soon as 1.15.1 is available on yunohost. I'll keep you updated.

I found a solution:
https://github.com/matrix-org/synapse/issues/7418#issuecomment-632166605

The problem for me was that the device list was stale it seems.

The linked issue resolves this:

Connect to your PostgreSQL server (not tested with SqLite) and run:

INSERT INTO device_lists_remote_resync VALUES ('@user:host.tld', (EXTRACT(epoch FROM NOW()) * 1000)::BIGINT);

Replace @user:host.tld with the ID of the user.

Restart the Riot.im client. The line will dissapear in the database. Try verifying again. It should work now :)

Maybe this step could be transferred to some kind of recurring maintenance routine inside synapse.

https://github.com/matrix-org/matrix-doc/pull/2638 would create a way for the client to notify the server that things are out of date and to resync.

I have experimented an other kind of issue, similar but slightly different this time.

Me and a matrix.org account, we could verify each other but this time, his shield doesn't become neither green neither black but RED. Indeed, in his devices list, on my account, an old device of him remain listed whereas he had removed it and it doesn't appear on his device list on his account. It is like I didn't get the update of his devices list.

I'm not sure if this is the same thing or not, but I have a user who I have verified out-of-band ages ago, before cross-signing, so I wanted to verify them. Both of us are on matrix.org.

Since I had already verified, them, I opted to manually verify them.

Now their entry looks like this:

And when I click on 1 Session it has this:

Why do the shields disagree? Is this an example of this bug? Restarting Element doesn't fix the shield.

Do you think this bug is linked to this issue https://github.com/matrix-org/synapse/issues/2526 ?