"Bad Signature" error after activating encryption #23078

Closed
mmaedler opened this Issue Mar 10, 2016 · 7 comments

Projects

None yet

5 participants

@mmaedler

Steps to reproduce

  1. Fresh and clean installation with one user (admin) and some files
  2. Activation of Default encryption module
  3. sudo -u www-data ./occ encryption:enable && sudo -u www-data ./occ encryption:encrypt-all
  4. login to web gui and change onetime password to login password.
  5. all files respond with "Bad Signature" error when opened from web gui

Expected behaviour

Unencrypted version of file should be shown (incl. thumbs for images).

Actual behaviour

Every file returns "Bad Signature" error

Server configuration

Operating system: Ubuntu 12.04

Web server: nginx 1.8.1

Database: MySQL 5.6.24

PHP version:: 5.6.18 (as fpm)

ownCloud version: 9.0.0

Updated from an older ownCloud or fresh install: first updated version, then fresh install — behaviour is the same each time

Where did you install ownCloud from: zip file

Signing status (ownCloud 9.0 and above):

no errors have been found

List of activated apps:

Enabled:
  - activity: 2.2.1
  - calendar: 1.0
  - comments: 0.2
  - contacts: 1.0.0.0
  - dav: 0.1.5
  - documents: 0.12.0
  - encryption: 1.2.0
  - federatedfilesharing: 0.1.0
  - federation: 0.0.4
  - files: 1.4.4
  - files_external: 0.5.2
  - files_pdfviewer: 0.8
  - files_sharing: 0.9.1
  - files_texteditor: 2.1
  - files_trashbin: 0.8.0
  - files_versions: 1.2.0
  - files_videoplayer: 0.9.8
  - firstrunwizard: 1.1
  - gallery: 14.5.0
  - notifications: 0.2.3
  - provisioning_api: 0.4.1
  - systemtags: 0.2
  - templateeditor: 0.1
  - updatenotification: 0.1.0
Disabled:
  - external
  - user_external
  - user_ldap

The content of config/config.php:

{
    "system": {
        "instanceid": "ocn14w2k7nyz",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "octest.betaserv.net"
        ],
        "datadirectory": "\/opt\/owncloud_test\/owncloud-9.0.0\/data",
        "overwrite.cli.url": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "mysql",
        "version": "9.0.0.19",
        "dbname": "owncloud_test",
        "dbhost": "localhost",
        "dbtableprefix": "oc_",
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "logtimezone": "UTC",
        "installed": true,
        "singleuser": false
    },
    "apps": {
        "activity": {
            "enabled": "yes",
            "installed_version": "2.2.1",
            "types": "filesystem"
        },
        "backgroundjob": {
            "lastjob": "3"
        },
        "calendar": {
            "enabled": "yes",
            "installed_version": "1.0",
            "ocsid": "168707",
            "types": ""
        },
        "comments": {
            "enabled": "yes",
            "installed_version": "0.2",
            "types": "logging"
        },
        "contacts": {
            "enabled": "yes",
            "installed_version": "1.0.0.0",
            "ocsid": "168708",
            "types": ""
        },
        "core": {
            "backgroundjobs_mode": "cron",
            "default_encryption_module": "OC_DEFAULT_MODULE",
            "encryption_enabled": "yes",
            "installedat": "1457604591.9412",
            "lastcron": "1457605168",
            "lastupdateResult": "{\"version\":{},\"versionstring\":{},\"url\":{},\"web\":{}}",
            "lastupdatedat": "1457606398",
            "oc.integritycheck.checker": "[]",
            "public_documents": "documents\/public.php",
            "public_files": "files_sharing\/public.php",
            "public_webdav": "dav\/appinfo\/v1\/publicwebdav.php",
            "remote_caldav": "dav\/appinfo\/v1\/caldav.php",
            "remote_calendar": "dav\/appinfo\/v1\/caldav.php",
            "remote_carddav": "dav\/appinfo\/v1\/carddav.php",
            "remote_contacts": "dav\/appinfo\/v1\/carddav.php",
            "remote_dav": "dav\/appinfo\/v2\/remote.php",
            "remote_files": "dav\/appinfo\/v1\/webdav.php",
            "remote_webdav": "dav\/appinfo\/v1\/webdav.php"
        },
        "dav": {
            "enabled": "yes",
            "installed_version": "0.1.5",
            "types": "filesystem"
        },
        "documents": {
            "enabled": "yes",
            "installed_version": "0.12.0",
            "ocsid": "168711",
            "types": ""
        },
        "encryption": {
            "enabled": "yes",
            "installed_version": "1.2.0",
            "masterKeyId": "master_11425f2a",
            "publicShareKeyId": "pubShare_11425f2a",
            "recoveryKeyId": "recoveryKey_11425f2a",
            "types": "filesystem"
        },
        "federatedfilesharing": {
            "enabled": "yes",
            "installed_version": "0.1.0",
            "types": ""
        },
        "federation": {
            "enabled": "yes",
            "installed_version": "0.0.4",
            "types": "authentication"
        },
        "files": {
            "cronjob_scan_files": "500",
            "enabled": "yes",
            "installed_version": "1.4.4",
            "types": "filesystem"
        },
        "files_external": {
            "enabled": "yes",
            "installed_version": "0.5.2",
            "ocsid": "166048",
            "types": "filesystem"
        },
        "files_pdfviewer": {
            "enabled": "yes",
            "installed_version": "0.8",
            "ocsid": "166049",
            "types": ""
        },
        "files_sharing": {
            "enabled": "yes",
            "installed_version": "0.9.1",
            "types": "filesystem"
        },
        "files_texteditor": {
            "enabled": "yes",
            "installed_version": "2.1",
            "ocsid": "166051",
            "types": ""
        },
        "files_trashbin": {
            "enabled": "yes",
            "installed_version": "0.8.0",
            "types": "filesystem"
        },
        "files_versions": {
            "enabled": "yes",
            "installed_version": "1.2.0",
            "types": "filesystem"
        },
        "files_videoplayer": {
            "enabled": "yes",
            "installed_version": "0.9.8",
            "types": ""
        },
        "firstrunwizard": {
            "enabled": "yes",
            "installed_version": "1.1",
            "ocsid": "166055",
            "types": ""
        },
        "gallery": {
            "enabled": "yes",
            "installed_version": "14.5.0",
            "types": ""
        },
        "notifications": {
            "enabled": "yes",
            "installed_version": "0.2.3",
            "types": "logging"
        },
        "provisioning_api": {
            "enabled": "yes",
            "installed_version": "0.4.1",
            "types": "prevent_group_restriction"
        },
        "systemtags": {
            "enabled": "yes",
            "installed_version": "0.2",
            "types": "logging"
        },
        "templateeditor": {
            "enabled": "yes",
            "installed_version": "0.1",
            "types": ""
        },
        "updatenotification": {
            "enabled": "yes",
            "installed_version": "0.1.0",
            "types": ""
        }
    }
}

Are you using external storage, if yes which one: no

Are you using encryption: yes (at least kind of...)

Are you using an external user-backend, if yes which one: no

Client configuration

Browser: Chrome 49

Operating system: OSX 10.11.3

@LukasReschke LukasReschke self-assigned this Mar 10, 2016
@LukasReschke LukasReschke added the bug label Mar 10, 2016
@LukasReschke
Member

I'll take a look.

@LukasReschke LukasReschke added a commit that referenced this issue Mar 10, 2016
@LukasReschke LukasReschke Ensure that stored version is at least 1 for cross-storage copy
In case of a move operation from an unencrypted to an encrypted
storage the old encrypted version would stay with "0" while the
correct value would be "1". Thus we manually set the value to "1"
for those cases.

See also #23078
777867c
@LukasReschke
Member

A potential fix for this can be found at #23108. I tested it locally given your steps and did some smoke testing and everything seemed to pass.

@mmaedler It would be utmost appreciated if you could retest your steps with this branch applied. It won't get back your old testing data but at least all new one should be there.

In case anybody stumbles upon this with real life data, there is this trick that should make the data accessible again:

  1. Get all storage IDs SELECT numeric_id FROM oc_storages where id LIKE "home::%%";
  2. UPDATE oc_filecache SET encrypted = 1 WHERE encrypted = 0 AND storage = ?;, replace ? with the storage IDs from 1.
  3. Delete thumbnails

If you can afford I'd however recommend to restore a backup and retry with the patch applied. Way more reliable.

Thanks a lot for reporting this bug back to us and sorry for the hassle!

@mmaedler

Good morning! I went through setting up a fresh installation again, applied the patch, uploaded the same test data like yesterday and now it works :)

Thanks for fixing this so quickly!

One more question: As I am now getting a notification that the integrity check fails (obviously) I want to wait with updating my production environment until the change made it into a release. Do you have an ETA when that will be available?

Also one comment on the interface to change the temp key to the login password again. I think it is not really made clear by the form labels (at least not in the german version) where to put the temp key and where to put the login password. At least the labeling didn't make me feel comfortable that I had chosen the right content for the right field. Maybe it can be made more clearly if the first field is labelled with something like "Temporary Key (you received from your Admin)" or "Temporärer Schlüssel (von deinem Admin)"?

Thanks again!

@PVince81 PVince81 added the sev2-high label Mar 14, 2016
@mmaedler

Thanks @PVince81! As I really want to get going on the new version and beginning of April still feels ages away, is there a way to update the file expected signature value to match the changes and prevent the notification from showing up?

@PVince81
Collaborator
@LukasReschke
Member

Thanks @PVince81! As I really want to get going on the new version and beginning of April still feels ages away, is there a way to update the file expected signature value to match the changes and prevent the notification from showing up?

Option 1: Change https://github.com/owncloud/core/blob/f8180579d03fcd10ab8f92f1ecb27899436c7653/version.php#L36-L37 to git. Once 9.0.1 is there replace everything with 9.0.1 again.

Option 2: You could install the daily from https://download.owncloud.org/community/owncloud-daily-stable9.tar.bz2 which is properly signed. This requires however that the PR is first merged into stable9, which it is not yet.

Option 3: Ignore the warning. Only admins will see it 😉

@LukasReschke LukasReschke added a commit that referenced this issue Mar 16, 2016
@LukasReschke LukasReschke Ensure that stored version is at least 1 for cross-storage copy
In case of a move operation from an unencrypted to an encrypted
storage the old encrypted version would stay with "0" while the
correct value would be "1". Thus we manually set the value to "1"
for those cases.

See also #23078
676041b
@LukasReschke LukasReschke added a commit that referenced this issue Mar 16, 2016
@LukasReschke LukasReschke Ensure that stored version is at least 1 for cross-storage copy
In case of a move operation from an unencrypted to an encrypted
storage the old encrypted version would stay with "0" while the
correct value would be "1". Thus we manually set the value to "1"
for those cases.

See also #23078
f9ad57e
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment