Server: Integrity Check Fail EXCEPTION Signature could not get verified.

Created on 10 Mar 2020  路  10Comments  路  Source: nextcloud/server

I tried my servers Help (https://sd.fqdn.tld/index.php/settings/help/admin "Docs 禄 Issues and troubleshooting 禄 Code signing 禄 Errors"), and the public Help forum first, but no joy from either of them.

Steps to reproduce

  1. Run the standard code integrity check.

Expected behavior

Pass all tests, or get a meaningful error message that would lead to a solution.

Actual behavior

The error message leads to only dead ends and bad advice.

Server configuration

System Report Link: https://cloud.ruppssites.com/index.php/s/bKGHrbKARwS6Egx


Password: 
LvkCkJs0kjP5Yz75/lxa

Nextcloud version: 18.0.1 _(I just upgraded this morning hoping it would go away; faith healing)_
Operating system and version: Ubuntu Linux 18.04.1
Apache version: 2.4.41
PHP version(s): 7.3.15, 7.4.3, but I'm pretty sure the Nextcloud uses the 7.3 version.
Database Version: MySQL 5.7.29-0ubuntu0.16.04.1 (_data is on one server and software for NC is on another server inside the same LAN_)

The issue you are facing:
After opening the https://sd.fqdn.tld/index.php/settings/admin/overview page the code integrity check fails:

Technical information
=====================
The following list covers which files have failed the integrity check. Please read
the previous linked documentation to learn more about the errors and how to fix
them.

Results
=======
- secsignid
    - EXCEPTION
        - OC\IntegrityCheck\Exceptions\InvalidSignatureException
        - Signature could not get verified.

Raw output
==========
Array
(
    [secsignid] => Array
        (
            [EXCEPTION] => Array
                (
                    [class] => OC\IntegrityCheck\Exceptions\InvalidSignatureException
                    [message] => Signature could not get verified.
                )
        )
)

Rescan produces the same results. Looking at the suggested documentation didn't help either. I did search my server for the signature.json file but got 259 results and don't know what to investigate after that.

Is this the first time you've seen this error? : Y (kind of)

Last time I got through a code integrity check cleanly was at the end of this particular Git Issue:
A new kind of failure when upgrading to 17 from 16, NULL page loads where Start Update should. #18277

Towards the end of that fiasco, I was guided through a difficulty with the check, but that problem is distinctly different from this one.

The only thing I did since then which gives a reason for suspicion (or is just a red-herring), is this little number here in Git:
Chrome : Geolocation error: Geolocation has been disabled in this document by Feature Policy.. #229
However, I did perfectly reverse that alteration before this code integrity check, so I don't think it's the same situation either.

I vaguely remember somebody giving me a command-line way to do a resetting of the checksum things, but still, this seems like a different problem.

0. Needs triage bug
Source
picture WNYmathGuy

All 10 comments

Can confirm this issue also persisits in nextcloud 19.0.1

Pingger picture Pingger on 7 Aug 2020
👍1

Found the issue:
When the FTP-Server (or something else) changes the last modification time, WITHOUT actually changing the data, this error occurs ...
manually applying a touch at the correct unix timestamp fixes the issue. (_correct_ depends on the your local environment)
(after that other files might be listed, that cause the integrity check to fail. In my case a manually updated .htaccess)

Pingger picture Pingger on 7 Aug 2020
👍1

manually applying a touch at the correct unix timestamp fixes the issue.

I am not able to understand that.

WNYmathGuy picture WNYmathGuy on 7 Aug 2020

using the Unix command touch (which changes the last modified time to the current system time). using it I fixed the issue on my instance ...

Pingger picture Pingger on 7 Aug 2020
👍1

I looked at the man page for touch then gave a go in the main directory for the site by executing touch .htaccess to see if that would help, but it didn't then I took a W.A.G. and did touch * then ran the Rescan link from the admin overview page and still no change.

WNYmathGuy picture WNYmathGuy on 7 Aug 2020

You misunderstood me:

  • Every signature.json has a specific time at which it was finalized.
  • By uploading using FTP the last modified timestamp of the file changes and no longer matches with the (somewhere) hardcoded one in the validation code.
  • to fix this you need to find out the exact timestamp required for your version and set it appropriately

Example:
Version 19.0.1 has the timestamp "2020-07-15 20:29:32 UTC". So you would need to set your systemclock to a few moments before that and then at the exact second of the timestamp run touch signature.json, so that the last modification timestamp is updated to that exact time.
I found out this time, by looking into the archive for the clean-installation using 7zip, which displays this timestamp for each file.
After I fixed that, the check ran properly and told me, that my .htaccess file was modified. which is correct as I added my 404 and 403 errorhandling pages. Now I put those directly into the apache configs, so that I don't need to change the .htaccess file.

Pingger picture Pingger on 7 Aug 2020

Yes, I did misunderstand you by a lot. I think I might try setting a cron job to execute the command on the right second. I have a lot going on my physical server and tinkering with the system time like that feels dodgy at best.

So why wouldn't the upgrade procedure using the web installer put the right dates on all the files? It's been the same problem in NC17 and after the upgrade to NC18. I have been upgrading since NC13. Would I have to find file timestamps for NC13's clean install?

WNYmathGuy picture WNYmathGuy on 7 Aug 2020

I just found this gem...
NOW=$(date) && date -s "2030-08-15 21:30:11" && touch file.txt && date -s "$NOW"
I duckduckgo'ed linux hacks for altering timestamps and this was the top of my list,
https://www.shellhacks.com/fake-file-access-modify-change-timestamps-linux/

Was it only the ctime that mattered, or could it be achieved with just the mtime part?

WNYmathGuy picture WNYmathGuy on 7 Aug 2020

It seems only the mtime is important.
This is the output of stat signature.json on my server. Before fixing it the Modify and Change times were identical ...

  File: core/signature.json
  Size: 1499849         Blocks: 2944       IO Block: 4096   regular file
Device: 803h/2051d      Inode: 1317742     Links: 1
Access: (0644/-rw-r--r--)  Uid: (   33/www-data)   Gid: (   33/www-data)
Access: 2020-08-07 16:12:15.103729403 +0200
Modify: 2020-07-15 22:29:32.000000000 +0200
Change: 2020-08-07 22:37:09.363248389 +0200
 Birth: -
Pingger picture Pingger on 8 Aug 2020

My output of that stat command was,
stat: cannot stat 'signature.json': No such file or directory. Then I realized you were asking for a subdirectory of /core.

stat ./core/signature.json
  File: ./core/signature.json
  Size: 1360836     Blocks: 2664       IO Block: 4096   regular file
Device: fd00h/64768d    Inode: 57420850    Links: 1
Access: (0644/-rw-r--r--)  Uid: ( 1009/ support)   Gid: ( 1003/ support)
Access: 2020-08-07 15:07:06.983204660 -0400
Modify: 2020-07-19 11:32:17.832430193 -0400
Change: 2020-07-19 11:34:58.652913368 -0400
 Birth: -

While inside the core directory,

ls -al
total 1464
drwxr-xr-x 23 support support     4096 Aug  7 15:07 .
drwxr-xr-x 14 support www-data    4096 Jul 19 11:34 ..
drwxr-xr-x  2 support support     4096 Jul 19 11:34 ajax
-rw-r--r--  1 support support     6694 Jul 19 11:32 Application.php
drwxr-xr-x  2 support support     4096 Jul 19 11:34 BackgroundJobs
drwxr-xr-x 16 support support     4096 Jul 19 11:34 Command
drwxr-xr-x  2 support support     4096 Jul 19 11:34 Controller
drwxr-xr-x  4 support support     4096 Jul 19 11:34 css
drwxr-xr-x  2 support support     4096 Jul 19 11:34 Data
drwxr-xr-x  2 support support     4096 Jul 19 11:34 Db
drwxr-xr-x  4 support support     4096 Jul 19 11:34 doc
drwxr-xr-x  2 support support     4096 Jul 19 11:34 Exception
drwxr-xr-x  2 support support     4096 Jul 19 11:34 fonts
drwxr-xr-x  9 support support     4096 Jul 19 11:34 img
drwxr-xr-x  8 support support     4096 Jul 19 11:34 js
drwxr-xr-x  2 support support     4096 Jul 19 11:34 l10n
drwxr-xr-x  2 support support     4096 Jul 19 11:34 Middleware
drwxr-xr-x  2 support support     4096 Jul 19 11:34 Migrations
drwxr-xr-x  2 support support     4096 Jul 19 11:34 Notification
-rw-r--r--  1 support support    11131 Jul 19 11:32 register_command.php
-rw-r--r--  1 support support     9521 Jul 19 11:32 routes.php
drwxr-xr-x  4 support support     4096 Jul 19 11:34 search
drwxr-xr-x  2 support support     4096 Jul 19 11:34 Service
-rw-r--r--  1 support support     1105 Jul 19 11:32 shipped.json
-rw-r--r--  1 support support  1360836 Jul 19 11:32 signature.json
drwxr-xr-x  4 support support     4096 Jul 19 11:34 skeleton
-rw-r--r--  1 support support     1059 Jul 19 11:32 strings.php
drwxr-xr-x  5 support support     4096 Jul 19 11:34 templates
drwxr-xr-x  3 support support     4096 Jul 19 11:34 vendor

Yesterday I did that erroneous touch command in the root directory for the site,

ls -al
total 164
drwxr-xr-x  14 support www-data  4096 Jul 19 11:34 .
drwxr-x---   3 support support   4096 Apr 23 15:44 ..
drwxr-xr-x  33 support support   4096 Aug  7 15:07 3rdparty
drwxrwx--- 141 support www-data  4096 Aug  7 15:07 apps
-rw-r--r--   1 support support  15752 Aug  7 15:07 AUTHORS
drwxrwx---   2 support www-data  4096 Aug  7 15:07 config
-rw-r--r--   1 support support   3910 Aug  7 15:07 console.php
-rw-r--r--   1 support support  34520 Aug  7 15:07 COPYING
drwxr-xr-x  23 support support   4096 Aug  7 15:07 core
-rw-r--r--   1 support support   5048 Aug  7 15:07 cron.php
drwxrwx---  18 support www-data  4096 Aug  8 06:30 data
-rw-r--r--   1 support support   3124 Aug  7 15:05 .htaccess
-rw-r--r--   1 support support    156 Aug  7 15:07 index.html
-rw-r--r--   1 support support   2976 Aug  7 15:07 index.php
drwxr-xr-x   6 support support   4096 Aug  7 15:07 lib
-rw-r--r--   1 support support    283 Aug  7 15:07 occ
drwxr-xr-x   2 support support   4096 Aug  7 15:07 ocm-provider
drwxr-xr-x   2 support support   4096 Aug  7 15:07 ocs
drwxr-xr-x   2 support support   4096 Aug  7 15:07 ocs-provider
-rw-r--r--   1 support support   3056 Aug  7 15:07 public.php
-rw-r--r--   1 support support   5235 Aug  7 15:07 remote.php
drwxr-xr-x   4 support support   4096 Aug  7 15:07 resources
-rw-r--r--   1 support support     26 Aug  7 15:07 robots.txt
-rw-r--r--   1 support support   2381 Aug  7 15:07 status.php
drwxr-xr-x   3 support www-data  4096 Aug  7 15:07 themes
drwxrwx---   2 support www-data  4096 Aug  7 15:07 updater
-rw-r--r--   1 support support    101 Jul 19 11:32 .user.ini
-rw-r--r--   1 support support    362 Aug  7 15:07 version.php

Do you think I should try finding the clean install of my NC18 version and match all dates to that?

WNYmathGuy picture WNYmathGuy on 8 Aug 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

Django-BOfH picture Django-BOfH  路  3Comments
williambargent picture williambargent  路  3Comments
georgehrke picture georgehrke  路  3Comments
e-alfred picture e-alfred  路  3Comments
arno01 picture arno01  路  3Comments