"Bad Signature" error after activating encryption

[mmaedler]

Steps to reproduce

1. Fresh and clean installation with one user (admin) and some files
2. Activation of Default encryption module
3. sudo -u www-data ./occ encryption:enable && sudo -u www-data ./occ encryption:encrypt-all
4. login to web gui and change onetime password to login password.
5. all files respond with "Bad Signature" error when opened from web gui

Expected behaviour

Unencrypted version of file should be shown (incl. thumbs for images).

Actual behaviour

Every file returns "Bad Signature" error

Server configuration

Operating system: Ubuntu 12.04

Web server: nginx 1.8.1

Database: MySQL 5.6.24

PHP version:: 5.6.18 (as fpm)

ownCloud version: 9.0.0

Updated from an older ownCloud or fresh install: first updated version, then fresh install — behaviour is the same each time

Where did you install ownCloud from: zip file

Signing status (ownCloud 9.0 and above):

no errors have been found

List of activated apps:

Enabled:
  - activity: 2.2.1
  - calendar: 1.0
  - comments: 0.2
  - contacts: 1.0.0.0
  - dav: 0.1.5
  - documents: 0.12.0
  - encryption: 1.2.0
  - federatedfilesharing: 0.1.0
  - federation: 0.0.4
  - files: 1.4.4
  - files_external: 0.5.2
  - files_pdfviewer: 0.8
  - files_sharing: 0.9.1
  - files_texteditor: 2.1
  - files_trashbin: 0.8.0
  - files_versions: 1.2.0
  - files_videoplayer: 0.9.8
  - firstrunwizard: 1.1
  - gallery: 14.5.0
  - notifications: 0.2.3
  - provisioning_api: 0.4.1
  - systemtags: 0.2
  - templateeditor: 0.1
  - updatenotification: 0.1.0
Disabled:
  - external
  - user_external
  - user_ldap

The content of config/config.php:

{
    "system": {
        "instanceid": "ocn14w2k7nyz",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "octest.betaserv.net"
        ],
        "datadirectory": "\/opt\/owncloud_test\/owncloud-9.0.0\/data",
        "overwrite.cli.url": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "mysql",
        "version": "9.0.0.19",
        "dbname": "owncloud_test",
        "dbhost": "localhost",
        "dbtableprefix": "oc_",
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "logtimezone": "UTC",
        "installed": true,
        "singleuser": false
    },
    "apps": {
        "activity": {
            "enabled": "yes",
            "installed_version": "2.2.1",
            "types": "filesystem"
        },
        "backgroundjob": {
            "lastjob": "3"
        },
        "calendar": {
            "enabled": "yes",
            "installed_version": "1.0",
            "ocsid": "168707",
            "types": ""
        },
        "comments": {
            "enabled": "yes",
            "installed_version": "0.2",
            "types": "logging"
        },
        "contacts": {
            "enabled": "yes",
            "installed_version": "1.0.0.0",
            "ocsid": "168708",
            "types": ""
        },
        "core": {
            "backgroundjobs_mode": "cron",
            "default_encryption_module": "OC_DEFAULT_MODULE",
            "encryption_enabled": "yes",
            "installedat": "1457604591.9412",
            "lastcron": "1457605168",
            "lastupdateResult": "{\"version\":{},\"versionstring\":{},\"url\":{},\"web\":{}}",
            "lastupdatedat": "1457606398",
            "oc.integritycheck.checker": "[]",
            "public_documents": "documents\/public.php",
            "public_files": "files_sharing\/public.php",
            "public_webdav": "dav\/appinfo\/v1\/publicwebdav.php",
            "remote_caldav": "dav\/appinfo\/v1\/caldav.php",
            "remote_calendar": "dav\/appinfo\/v1\/caldav.php",
            "remote_carddav": "dav\/appinfo\/v1\/carddav.php",
            "remote_contacts": "dav\/appinfo\/v1\/carddav.php",
            "remote_dav": "dav\/appinfo\/v2\/remote.php",
            "remote_files": "dav\/appinfo\/v1\/webdav.php",
            "remote_webdav": "dav\/appinfo\/v1\/webdav.php"
        },
        "dav": {
            "enabled": "yes",
            "installed_version": "0.1.5",
            "types": "filesystem"
        },
        "documents": {
            "enabled": "yes",
            "installed_version": "0.12.0",
            "ocsid": "168711",
            "types": ""
        },
        "encryption": {
            "enabled": "yes",
            "installed_version": "1.2.0",
            "masterKeyId": "master_11425f2a",
            "publicShareKeyId": "pubShare_11425f2a",
            "recoveryKeyId": "recoveryKey_11425f2a",
            "types": "filesystem"
        },
        "federatedfilesharing": {
            "enabled": "yes",
            "installed_version": "0.1.0",
            "types": ""
        },
        "federation": {
            "enabled": "yes",
            "installed_version": "0.0.4",
            "types": "authentication"
        },
        "files": {
            "cronjob_scan_files": "500",
            "enabled": "yes",
            "installed_version": "1.4.4",
            "types": "filesystem"
        },
        "files_external": {
            "enabled": "yes",
            "installed_version": "0.5.2",
            "ocsid": "166048",
            "types": "filesystem"
        },
        "files_pdfviewer": {
            "enabled": "yes",
            "installed_version": "0.8",
            "ocsid": "166049",
            "types": ""
        },
        "files_sharing": {
            "enabled": "yes",
            "installed_version": "0.9.1",
            "types": "filesystem"
        },
        "files_texteditor": {
            "enabled": "yes",
            "installed_version": "2.1",
            "ocsid": "166051",
            "types": ""
        },
        "files_trashbin": {
            "enabled": "yes",
            "installed_version": "0.8.0",
            "types": "filesystem"
        },
        "files_versions": {
            "enabled": "yes",
            "installed_version": "1.2.0",
            "types": "filesystem"
        },
        "files_videoplayer": {
            "enabled": "yes",
            "installed_version": "0.9.8",
            "types": ""
        },
        "firstrunwizard": {
            "enabled": "yes",
            "installed_version": "1.1",
            "ocsid": "166055",
            "types": ""
        },
        "gallery": {
            "enabled": "yes",
            "installed_version": "14.5.0",
            "types": ""
        },
        "notifications": {
            "enabled": "yes",
            "installed_version": "0.2.3",
            "types": "logging"
        },
        "provisioning_api": {
            "enabled": "yes",
            "installed_version": "0.4.1",
            "types": "prevent_group_restriction"
        },
        "systemtags": {
            "enabled": "yes",
            "installed_version": "0.2",
            "types": "logging"
        },
        "templateeditor": {
            "enabled": "yes",
            "installed_version": "0.1",
            "types": ""
        },
        "updatenotification": {
            "enabled": "yes",
            "installed_version": "0.1.0",
            "types": ""
        }
    }
}

Are you using external storage, if yes which one: no

Are you using encryption: yes (at least kind of...)

Are you using an external user-backend, if yes which one: no

Client configuration

Browser: Chrome 49

Operating system: OSX 10.11.3

[LukasReschke]

I'll take a look.

[LukasReschke]

A potential fix for this can be found at #23108. I tested it locally given your steps and did some smoke testing and everything seemed to pass.

@mmaedler It would be utmost appreciated if you could retest your steps with this branch applied. It won't get back your old testing data but at least all new one should be there.

In case anybody stumbles upon this with real life data, there is this trick that should make the data accessible again:

1. Get all storage IDs SELECT numeric_id FROM oc_storages where id LIKE "home::%%";
2. UPDATE oc_filecache SET encrypted = 1 WHERE encrypted = 0 AND storage = ?;, replace ? with the storage IDs from 1.
3. Delete thumbnails

If you can afford I'd however recommend to restore a backup and retry with the patch applied. Way more reliable.

Thanks a lot for reporting this bug back to us and sorry for the hassle!

[mmaedler]

Good morning! I went through setting up a fresh installation again, applied the patch, uploaded the same test data like yesterday and now it works :)

Thanks for fixing this so quickly!

One more question: As I am now getting a notification that the integrity check fails (obviously) I want to wait with updating my production environment until the change made it into a release. Do you have an ETA when that will be available?

Also one comment on the interface to change the temp key to the login password again. I think it is not really made clear by the form labels (at least not in the german version) where to put the temp key and where to put the login password. At least the labeling didn't make me feel comfortable that I had chosen the right content for the right field. Maybe it can be made more clearly if the first field is labelled with something like "Temporary Key (you received from your Admin)" or "Temporärer Schlüssel (von deinem Admin)"?

Thanks again!

[PVince81]

@mmaedler https://github.com/owncloud/core/wiki/Maintenance-and-Release-Schedule

[mmaedler]

Thanks @PVince81! As I really want to get going on the new version and beginning of April still feels ages away, is there a way to update the file expected signature value to match the changes and prevent the notification from showing up?

[PVince81]

@LukasReschke ^

[LukasReschke]

Thanks @PVince81! As I really want to get going on the new version and beginning of April still feels ages away, is there a way to update the file expected signature value to match the changes and prevent the notification from showing up?

Option 1: Change

core/version.php

Lines 36 to 37 in f818057

	// The ownCloud channel
	$OC_Channel = 'git';

to git. Once 9.0.1 is there replace everything with 9.0.1 again.

Option 2: You could install the daily from https://download.owncloud.org/community/owncloud-daily-stable9.tar.bz2 which is properly signed. This requires however that the PR is first merged into stable9, which it is not yet.

Option 3: Ignore the warning. Only admins will see it 😉

[akalypse]

To do a bulk fix, I used this Mysql query:

update oc_filecache set encrypted = 1 where storage = '1' AND encrypted=0 AND mimetype != '2' and PATH LIKE "files/%"

(mimetype 2 are directories)

All my files except versioned files then started to get decrypted again just fine.
To also make versioned files work again, I then had to disable signature check as mentioned by:
@suntorytimed here: nextcloud/server#3958

It's quite a mess! Can someone confirm in which version this is being fixed? and which steps I have now to do from this state? At which version I can safely run occ encrypt:decrypt-all again?

Thanks,
Andy