OC\HintException: Bad Signature

[alrea333]

Steps to reproduce

1. Use last docker of wonderfall/nextcloud
2. Synchronize Files on windows
3. Icon becomes red, with fatal error of webdav

Expected behaviour

Tell us what should happen

Actual behaviour

Tell us what happens instead

Server configuration

Operating system:
debian plus docker wonderfall/nextcloud

Web server:
nginx (official docker)

Database:
postgres (official docker)

PHP version:
7.0.14

Nextcloud version: (see Nextcloud admin page)
11.0.1

Updated from an older Nextcloud/ownCloud or fresh install:
Bug was present on version 11.0. Update made via new pull of the docker image

Where did you install Nextcloud from:
docker

Signing status:

Signing status

Login as admin user into your Nextcloud and access 
http://example.com/index.php/settings/integrity/failed 
paste the results here.
No errors have been found.

List of activated apps:

App list

If you have access to your command line run e.g.:
sudo -u www-data php occ app:list
from within your Nextcloud installation folder
Enabled:
  - activity: 2.4.1
  - admin_audit: 1.1.0
  - comments: 1.1.0
  - dav: 1.1.1
  - encryption: 1.4.1
  - federatedfilesharing: 1.1.1
  - federation: 1.1.1
  - files: 1.6.1
  - files_accesscontrol: 1.1.2
  - files_pdfviewer: 1.0.1
  - files_sharing: 1.1.1
  - files_texteditor: 2.2
  - files_trashbin: 1.1.0
  - files_versions: 1.4.0
  - files_videoplayer: 1.0.0
  - firstrunwizard: 2.0
  - gallery: 16.0.0
  - logreader: 2.0.0
  - lookup_server_connector: 1.0.0
  - nextcloud_announcements: 1.0
  - notifications: 1.0.1
  - password_policy: 1.1.0
  - provisioning_api: 1.1.0
  - serverinfo: 1.1.1
  - sharebymail: 1.0.1
  - survey_client: 0.1.5
  - systemtags: 1.1.3
  - theming: 1.1.1
  - twofactor_backupcodes: 1.0.0
  - updatenotification: 1.1.1
  - workflowengine: 1.1.1
Disabled:
  - external
  - files_automatedtagging
  - files_external
  - files_retention
  - spreedme
  - templateeditor
  - user_external
  - user_ldap
  - user_saml

The content of config/config.php:

Config report

{
    "system": {
        "datadirectory": "\/data",
        "apps_paths": [
            {
                "path": "\/nextcloud\/apps",
                "url": "\/apps",
                "writable": false
            },
            {
                "path": "\/apps2",
                "url": "\/apps2",
                "writable": true
            }
        ],
        "memcache.local": "\\OC\\Memcache\\APCu",
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "redis": {
            "host": "\/tmp\/redis.sock",
            "port": 0,
            "timeout": 0
        },
        "instanceid": "ocadc83b19e7",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "nextcloud.alrea.net"
        ],
        "overwrite.cli.url": "https:\/\/nextcloud.alrea.net",
        "dbtype": "pgsql",
        "version": "11.0.1.2",
        "dbname": "nextcloud",
        "dbhost": "nextcloud_db",
        "dbport": "",
        "dbtableprefix": "oc_",
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "mail_from_address": "no-reply",
        "logtimezone": "UTC",
        "logdateformat": "Y-m-d H:i:s",
        "installed": true,
        "mail_smtpmode": "smtp",
        "mail_domain": "alrea.net",
        "mail_smtphost": "relay.mail.gandi.net",
        "mail_smtpport": "587",
        "mail_smtpauthtype": "LOGIN",
        "maintenance": false,
        "loglevel": 0,
        "singleuser": false
    }
}

Are you using external storage, if yes which one: local/smb/sftp/...
NO
Are you using encryption: yes/no
YES at the beggining, then I have tried to stop it, but the Fatal Error still happen during the synch
(command made to stop encryption :
occ maintenance:singleuser --on
occ encryption:decrypt-all
occ maintenance:singleuser --off)

Are you using an external user-backend, if yes which one: LDAP/ActiveDirectory/Webdav/...
NO

LDAP configuration (delete this part if not used)

LDAP config

With access to your command line run e.g.:
sudo -u www-data php occ ldap:show-config
from within your Nextcloud installation folder

Without access to your command line download the data/owncloud.db to your local
computer or access your SQL server remotely and run the select query:
SELECT * FROM `oc_appconfig` WHERE `appid` = 'user_ldap';


Eventually replace sensitive data as the name/IP-address of your LDAP server or groups.

Client configuration

Browser:
Chrome 55.0.2883.87

Operating system:
Windows 10

Logs

Web server error log

Web server error log

2017/01/23 18:07:22 [warn] 7#7: *30680 an upstream response is buffered to a temporary file /var/cache/nginx/proxy_temp/7/53/0000000537 while reading upstream, client: 172.20.0.2, server: nextcloud.alrea.net, request: "GET /remote.php/webdav/weTilt/App/weTiltRelecteurApp-0.2-debug.apk HTTP/1.1", upstream: "http://172.21.0.2:8888/remote.php/webdav/weTilt/App/weTiltRelecteurApp-0.2-debug.apk", host: "nextcloud.alrea.net"
2017/01/23 18:07:23 [warn] 7#7: *31065 a client request body is buffered to a temporary file /var/cache/nginx/client_temp/0000000538, client: 172.20.0.2, server: nextcloud.alrea.net, request: "PUT /remote.php/webdav/DealAgri/Catalogues/Caterpillar/Tarif%202017%20PR%20CATERPILLAR%20Net%20Concessionnaires%20Agri%2018%20Janv%202017.xlsx HTTP/1.1", host: "nextcloud.alrea.net"
2017/01/23 18:07:23 [warn] 7#7: *31066 a client request body is buffered to a temporary file /var/cache/nginx/client_temp/0000000539, client: 172.20.0.2, server: nextcloud.alrea.net, request: "PUT /remote.php/webdav/DealAgri/Catalogues/Immat/Immat%202012-2015.xlsx-chunking-1216214631-4-0 HTTP/1.1", host: "nextcloud.alrea.net"
2017/01/23 18:07:33 [warn] 7#7: *31067 an upstream response is buffered to a temporary file /var/cache/nginx/proxy_temp/0/54/0000000540 while reading upstream, client: 172.20.0.2, server: nextcloud.alrea.net, request: "GET /remote.php/webdav/weTilt/App/weTiltStudentApp-0.2-debug.apk HTTP/1.1", upstream: "http://172.21.0.2:8888/remote.php/webdav/weTilt/App/weTiltStudentApp-0.2-debug.apk", host: "nextcloud.alrea.net"
2017/01/23 18:07:45 [error] 7#7: *31067 upstream prematurely closed connection while reading upstream, client: 172.20.0.2, server: nextcloud.alrea.net, request: "GET /remote.php/webdav/weTilt/Arbre%20r%C3%A9ponse/Arbre%20r%C3%A9ponse.txt HTTP/1.1", upstream: "http://172.21.0.2:8888/remote.php/webdav/weTilt/Arbre%20r%C3%A9ponse/Arbre%20r%C3%A9ponse.txt", host: "nextcloud.alrea.net"

Nextcloud log (data/nextcloud.log)

Nextcloud log

Fatal	webdav	OC\HintException: Bad Signature
/nextcloud/apps/encryption/lib/Crypto/Crypt.php - line 464: OCA\Encryption\Crypto\Crypt->checkSignature('0rGJBE38rePRmGS...', '\xCA\xA7\xB3j\xFE\xEF\xC61\xFB{\x89G\x1D\xD8\n...', 'ab96d45fbe17f8f...')
/nextcloud/apps/encryption/lib/Crypto/Encryption.php - line 372: OCA\Encryption\Crypto\Crypt->symmetricDecryptFileContent('0rGJBE38rePRmGS...', '\xCA\xA7\xB3j\xFE\xEF\xC61\xFB{\x89G\x1D\xD8\n...', 'AES-256-CTR', 34, '0end')
/nextcloud/lib/private/Files/Stream/Encryption.php - line 460: OCA\Encryption\Crypto\Encryption->decrypt('0rGJBE38rePRmGS...', '0end')
/nextcloud/lib/private/Files/Stream/Encryption.php - line 291: OC\Files\Stream\Encryption->readCache()
[internal function] OC\Files\Stream\Encryption->stream_read(1555)
/nextcloud/3rdparty/icewind/streams/src/Wrapper.php - line 83: fread(Resource id #43, 8192)
/nextcloud/3rdparty/icewind/streams/src/CallbackWrapper.php - line 91: Icewind\Streams\Wrapper->stream_read(8192)
[internal function] Icewind\Streams\CallbackWrapper->stream_read(8192)
/nextcloud/3rdparty/sabre/http/lib/Sapi.php - line 78: stream_copy_to_stream(Resource id #46, Resource id #48, '1555')
/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php - line 498: Sabre\HTTP\Sapi sendResponse(Object(Sabre\HTTP\Response))
/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php - line 254: Sabre\DAV\Server->invokeMethod(Object(Sabre\HTTP\Request), Object(Sabre\HTTP\Response))
/nextcloud/apps/dav/appinfo/v1/webdav.php - line 60: Sabre\DAV\Server->exec()
/nextcloud/remote.php - line 165: require_once('/nextcloud/apps...')
{main}

Browser log

Browser log

Insert your browser log here, this could for example include:

a) The javascript console log
b) The network log
c) ...

[MorrisJobke]

cc @schiessle for the encryption app.

[alrea333]

I have identified the file that was creating this error. This document was uploaded on a shared folder by a user who was not the owner of teh folder. This user has not enebled the password recovery. It seems that nextcloud has used the password of this user to encrypt the file and the password of the owner ot the folder to decrypt it.

[gvmura]

Hi,
I have a similar problem on Nextcloud 11.0.2. Apache 2.4.18. Php 7.0.15.

1. A Google External storage available for two users, with encryption.
2. User [A] hasn't enabled the password recovery, user [B] yes.

I have tested the "occ decryp-all" and I have found the same behavior: a couple of files (with same name) for the same file, only for files owned of user [B]. I watched them from Google Drive.
From nextcloud web interface and from Windows client the files of the user [B] are missing.

I have tryed to delete from Drive the crypted version of each files of user [B] and, after that, the decrypted file appears on the web interface and on the client.

[trobotham]

having this issue as well

[jpaechnatz]

Nextcloud 11.0.3
Shared Folder via Link with Public Upload enabled.
If someone uploads a file via this link it's corrupted afterwards.
Logfile content:
{"reqId":"WQM7@M53jwtNBTOaGYqSgAAAAAM","remoteAddr":"62.206.86.146","app":"no app in context","message":"Exception: {"Exception":"OC\\HintException","Message":"Bad Signature","Code":0,"Trace":"#0 \/var\/www\/html\/apps\/encryption\/lib\/Crypto\/Crypt.php(464): OCA\\Encryption\\Crypto\\Crypt->checkSignature('8XHXKU4NXSprMvh...', '\\x83X\\xA9\\xD3\\xAD\\x1C\\x88\\xB0=8\\xCB\\xFCP\\x91S...', 'fb962864ce4fc85...')\n#1 \/var\/www\/html\/apps\/encryption\/lib\/Crypto\/Encryption.php(372): OCA\\Encryption\\Crypto\\Crypt->symmetricDecryptFileContent('8XHXKU4NXSprMvh...', '\\x83X\\xA9\\xD3\\xAD\\x1C\\x88\\xB0=8\\xCB\\xFCP\\x91S...', 'AES-256-CTR', 0, 0)\n#2 \/var\/www\/html\/lib\/private\/Files\/Stream\/Encryption.php(460): OCA\\Encryption\\Crypto\\Encryption->decrypt(*** sensitive parameters replaced ***)\n#3 \/var\/www\/html\/lib\/private\/Files\/Stream\/Encryption.php(291): OC\\Files\\Stream\\Encryption->readCache()\n#4 [internal function]: OC\\Files\\Stream\\Encryption->stream_read(8192)\n#5 \/var\/www\/html\/3rdparty\/icewind\/streams\/src\/Wrapper.php(83): fread(Resource id #635, 8192)\n#6 \/var\/www\/html\/3rdparty\/icewind\/streams\/src\/CallbackWrapper.php(91): Icewind\\Streams\\Wrapper->stream_read(8192)\n#7 [internal function]: Icewind\\Streams\\CallbackWrapper->stream_read(8192)\n#8 \/var\/www\/html\/lib\/private\/Files\/View.php(433): fread(Resource id #639, 8192)\n#9 \/var\/www\/html\/lib\/private\/legacy\/files.php(305): OC\\Files\\View->readfile('\/Test2\/AZ-schue...')\n#10 \/var\/www\/html\/lib\/private\/legacy\/files.php(120): OC_Files::getSingleFile(Object(OC\\Files\\View), '\/Test2', 'AZ-schueler-bah...', Array)\n#11 \/var\/www\/html\/apps\/files_sharing\/lib\/Controller\/ShareController.php(529): OC_Files::get('\/Test2', Array, Array)\n#12 [internal function]: OCA\\Files_Sharing\\Controller\\ShareController->downloadShare('o9J6dbTfCI7GMjo', 'AZ-schueler-bah...', '\/', '')\n#13 \/var\/www\/html\/lib\/private\/AppFramework\/Http\/Dispatcher.php(160): call_user_func_array(Array, Array)\n#14 \/var\/www\/html\/lib\/private\/AppFramework\/Http\/Dispatcher.php(90): OC\\AppFramework\\Http\\Dispatcher->executeController(Object(OCA\\Files_Sharing\\Controller\\ShareController), 'downloadShare')\n#15 \/var\/www\/html\/lib\/private\/AppFramework\/App.php(114): OC\\AppFramework\\Http\\Dispatcher->dispatch(Object(OCA\\Files_Sharing\\Controller\\ShareController), 'downloadShare')\n#16 \/var\/www\/html\/lib\/public\/AppFramework\/App.php(136): OC\\AppFramework\\App::main('ShareController', 'downloadShare', Object(OC\\AppFramework\\DependencyInjection\\DIContainer))\n#17 \/var\/www\/html\/core\/routes.php(99): OCP\\AppFramework\\App->dispatch('ShareController', 'downloadShare')\n#18 [internal function]: OC\\Route\\Router->{closure}(Array)\n#19 \/var\/www\/html\/lib\/private\/Route\/Router.php(299): call_user_func(Object(Closure), Array)\n#20 \/var\/www\/html\/lib\/base.php(1010): OC\\Route\\Router->match('\/s\/o9J6dbTfCI7G...')\n#21 \/var\/www\/html\/index.php(40): OC::handleRequest()\n#22 {main}","File":"\/var\/www\/html\/apps\/encryption\/lib\/Crypto\/Crypt.php","Line":484}","level":3,"time":"2017-04-28T14:56:25+02:00","method":"GET","url":"/index.php/s/o9J6dbTfCI7GMjo/download?files=AZ-schueler-bahnhof-albig.pdf&path=%2F","user":"--","version":"11.0.3.2"}
{"reqId":"WQnOp5MCi2V73A6VHohfYAAAAAY","remoteAddr":"62.206.86.146","app":"webdav","message":"Exception: {"Message":"Bad Signature","Exception":"OC\\HintException","Code":0,"Trace":"#0 \/var\/www\/html\/apps\/encryption\/lib\/Crypto\/Crypt.php(464): OCA\\Encryption\\Crypto\\Crypt->checkSignature('8XHXKU4NXSprMvh...', '\\x83X\\xA9\\xD3\\xAD\\x1C\\x88\\xB0=8\\xCB\\xFCP\\x91S...', 'fb962864ce4fc85...')\n#1 \/var\/www\/html\/apps\/encryption\/lib\/Crypto\/Encryption.php(372): OCA\\Encryption\\Crypto\\Crypt->symmetricDecryptFileContent('8XHXKU4NXSprMvh...', '\\x83X\\xA9\\xD3\\xAD\\x1C\\x88\\xB0=8\\xCB\\xFCP\\x91S...', 'AES-256-CTR', 0, 0)\n#2 \/var\/www\/html\/lib\/private\/Files\/Stream\/Encryption.php(460): OCA\\Encryption\\Crypto\\Encryption->decrypt('8XHXKU4NXSprMvh...', 0)\n#3 \/var\/www\/html\/lib\/private\/Files\/Stream\/Encryption.php(291): OC\\Files\\Stream\\Encryption->readCache()\n#4 [internal function]: OC\\Files\\Stream\\Encryption->stream_read(8192)\n#5 \/var\/www\/html\/3rdparty\/icewind\/streams\/src\/Wrapper.php(83): fread(Resource id #535, 8192)\n#6 \/var\/www\/html\/3rdparty\/icewind\/streams\/src\/CallbackWrapper.php(91): Icewind\\Streams\\Wrapper->stream_read(8192)\n#7 [internal function]: Icewind\\Streams\\CallbackWrapper->stream_read(8192)\n#8 \/var\/www\/html\/3rdparty\/sabre\/http\/lib\/Sapi.php(78): stream_copy_to_stream(Resource id #539, Resource id #549, '281340')\n#9 \/var\/www\/html\/3rdparty\/sabre\/dav\/lib\/DAV\/Server.php(498): Sabre\\HTTP\\Sapi::sendResponse(Object(Sabre\\HTTP\\Response))\n#10 \/var\/www\/html\/3rdparty\/sabre\/dav\/lib\/DAV\/Server.php(254): Sabre\\DAV\\Server->invokeMethod(Object(Sabre\\HTTP\\Request), Object(Sabre\\HTTP\\Response))\n#11 \/var\/www\/html\/apps\/dav\/appinfo\/v1\/webdav.php(60): Sabre\\DAV\\Server->exec()\n#12 \/var\/www\/html\/remote.php(165): require_once('\/var\/www\/html\/a...')\n#13 {main}","File":"\/var\/www\/html\/apps\/encryption\/lib\/Crypto\/Crypt.php","Line":484,"User":"admin"}","level":4,"time":"2017-05-03T14:35:51+02:00","method":"GET","url":"/remote.php/webdav/Test2/AZ-schueler-bahnhof-albig.pdf","user":"admin","version":"11.0.3.2"}

[jpaechnatz]

The same happens with a password protected link:
{"reqId":"WQnXY2adMbZbDiTDu7g-qQAAAAM","remoteAddr":"62.206.86.146","app":"webdav","message":"Exception: {"Message":"Bad Signature","Exception":"OC\\HintException","Code":0,"Trace":"#0 \/var\/www\/html\/apps\/encryption\/lib\/Crypto\/Crypt.php(464): OCA\\Encryption\\Crypto\\Crypt->checkSignature('lJY9CoN9b66dgIE...', '<!\\xC6O\\xF7Q\\xEE\\xCF\\x16\\xF2g\\xCEKV\\x0F...', 'f427f692ee3fed5...')\n#1 \/var\/www\/html\/apps\/encryption\/lib\/Crypto\/Encryption.php(372): OCA\\Encryption\\Crypto\\Crypt->symmetricDecryptFileContent('lJY9CoN9b66dgIE...', '<!\\xC6O\\xF7Q\\xEE\\xCF\\x16\\xF2g\\xCEKV\\x0F...', 'AES-256-CTR', 0, 0)\n#2 \/var\/www\/html\/lib\/private\/Files\/Stream\/Encryption.php(460): OCA\\Encryption\\Crypto\\Encryption->decrypt('lJY9CoN9b66dgIE...', 0)\n#3 \/var\/www\/html\/lib\/private\/Files\/Stream\/Encryption.php(291): OC\\Files\\Stream\\Encryption->readCache()\n#4 [internal function]: OC\\Files\\Stream\\Encryption->stream_read(8192)\n#5 \/var\/www\/html\/3rdparty\/icewind\/streams\/src\/Wrapper.php(83): fread(Resource id #535, 8192)\n#6 \/var\/www\/html\/3rdparty\/icewind\/streams\/src\/CallbackWrapper.php(91): Icewind\\Streams\\Wrapper->stream_read(8192)\n#7 [internal function]: Icewind\\Streams\\CallbackWrapper->stream_read(8192)\n#8 \/var\/www\/html\/3rdparty\/sabre\/http\/lib\/Sapi.php(78): stream_copy_to_stream(Resource id #539, Resource id #549, '249312')\n#9 \/var\/www\/html\/3rdparty\/sabre\/dav\/lib\/DAV\/Server.php(498): Sabre\\HTTP\\Sapi::sendResponse(Object(Sabre\\HTTP\\Response))\n#10 \/var\/www\/html\/3rdparty\/sabre\/dav\/lib\/DAV\/Server.php(254): Sabre\\DAV\\Server->invokeMethod(Object(Sabre\\HTTP\\Request), Object(Sabre\\HTTP\\Response))\n#11 \/var\/www\/html\/apps\/dav\/appinfo\/v1\/webdav.php(60): Sabre\\DAV\\Server->exec()\n#12 \/var\/www\/html\/remote.php(165): require_once('\/var\/www\/html\/a...')\n#13 {main}","File":"\/var\/www\/html\/apps\/encryption\/lib\/Crypto\/Crypt.php","Line":484,"User":"admin"}","level":4,"time":"2017-05-03T15:13:07+02:00","method":"GET","url":"/remote.php/webdav/Test3/hifiberry-ct2015-07.pdf","user":"admin","version":"11.0.3.2"}

[danielkoch]

Same here with password protected shared link.

[maximusVII]

Same here with a shared link (without password protection).

[lucasvog]

Same, but nothing was shared because sharing in any form is disabled:

/var/www/html/nextcloud/apps/encryption/lib/Crypto/Crypt.php - line 464: OCA\Encryption\Crypto\Crypt->checkSignature('IEHNkPQ4+YcsaoA...', ',\xA7\xA2q\xEB\xBC8F\xA6\x07\xA7#J\xA6B...', 'cdf4e80a847cf79...')
/var/www/html/nextcloud/apps/encryption/lib/Crypto/Encryption.php - line 372: OCA\Encryption\Crypto\Crypt->symmetricDecryptFileContent('IEHNkPQ4+YcsaoA...', ',\xA7\xA2q\xEB\xBC8F\xA6\x07\xA7#J\xA6B...', 'AES-256-CTR', 0, 0)
/var/www/html/nextcloud/lib/private/Files/Stream/Encryption.php - line 460: OCA\Encryption\Crypto\Encryption->decrypt('IEHNkPQ4+YcsaoA...', 0)
/var/www/html/nextcloud/lib/private/Files/Stream/Encryption.php - line 291: OC\Files\Stream\Encryption->readCache()
[internal function] OC\Files\Stream\Encryption->stream_read(8192)
/var/www/html/nextcloud/3rdparty/icewind/streams/src/Wrapper.php - line 83: fread(Resource id #108, 8192)
/var/www/html/nextcloud/3rdparty/icewind/streams/src/CallbackWrapper.php - line 91: Icewind\Streams\Wrapper->stream_read(8192)
[internal function] Icewind\Streams\CallbackWrapper->stream_read(8192)
/var/www/html/nextcloud/3rdparty/sabre/http/lib/Sapi.php - line 78: stream_copy_to_stream(Resource id #111, Resource id #113, '9203932')
/var/www/html/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php - line 498: Sabre\HTTP\Sapi sendResponse(Object(Sabre\HTTP\Response))
/var/www/html/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php - line 254: Sabre\DAV\Server->invokeMethod(Object(Sabre\HTTP\Request), Object(Sabre\HTTP\Response))
/var/www/html/nextcloud/apps/dav/appinfo/v1/webdav.php - line 60: Sabre\DAV\Server->exec()
/var/www/html/nextcloud/remote.php - line 165: require_once('/var/www/html/n...')
{main}

[mrkskwsnck]

Carp, I ran into exactly that same issue :-(

[ggeorgg]

Me too. Just sent a public link to a friend so that he could upload a file. The file is shown on the server but cannot be opened. Encryption is enabled.

[takiainen]

Here also. I also sent a public link for a friend to upload some files. He did upload them, but I cannot access them.

I sent the link using latest nextcloud dev android client from F-Droid. Just before sending the link, I created a folder into which he could upload the files.

Now I only see the newly created folder with my android client, but I do not see the content.

If I login via browser, I cannot see the folder nor the files. Also desktop sync fails.

I have Nextcloud 11.0.3 (stable), running on Linux Mint 17.3. I'm using Nginx.

[JB1985]

Same here with Nextcloud 11.0.3

Debian 8
PHP5.6
mySQL5
Apache2.4

Encryption is enabled!

Is this bug fixed in Nextcloud12 ?

[js94x]

Same here. We are using an encrypted Nextcloud instance 11.0.3.

Steps to reproduce:
An authenticated user creates a public share with write permission for everyone. A file upload in this share suceeds, but when another user or the authenticated user tries to download this file an error occurs.

Log entry:
Jun 27 11:55:29 websrv ownCloud[5621]: {no app in context} Exception: {"Exception":"OC\\HintException","Message":"Bad Signature","Code":0,"Trace":"#0 \/www\/htdocs\/apps\/encryption\/lib\/Crypto\/Crypt.php(464): OCA\\Encryption\\Crypto\\Crypt->checkSignature('oCL5gZo=', '$w@+\\xA1\\xC0A\\xD03\\xA2\\x8Ek\\xE0\\xC1\\x93...', '2cae3f981681ad1...')\n#1 \/www\/htdocs\/apps\/encryption\/lib\/Crypto\/Encryption.php(372): OCA\\Encryption\\Crypto\\Crypt->symmetricDecryptFileContent('oCL5gZo=00iv00;...', '$w@+\\xA1\\xC0A\\xD03\\xA2\\x8Ek\\xE0\\xC1\\x93...', 'AES-256-CTR', 0, 0)\n#2 \/www\/htdocs\/lib\/private\/Files\/Stream\/Encryption.php(460): OCA\\Encryption\\Crypto\\Encryption->decrypt(*** sensitive parameters replaced ***)\n#3 \/www\/htdocs\/lib\/private\/Files\/Stream\/Encryption.php(291): OC\\Files\\Stream\\Encryption->readCache()\n#4 [internal function]: OC\\Files\\Stream\\Encryption->stream_read(8192)\n#5 \/www\/htdocs\/apps\/files_external\/3rdparty\/icewind\/streams\/src\/Wrapper.php(83): fread(Resource id #56, 8192)\n#6 \/www\/htdocs\/apps\/files_external\/3rdparty\/icewind\/streams\/src\/CallbackWrapper.php(91): Icewind\\Streams\\Wrapper->stream_read(8192)\n#7 [internal function]: Icewind\\Streams\\CallbackWrapper->stream_read(8192)\n#8 \/www\/htdocs\/lib\/private\/Files\/View.php(433): fread(Resource id #59, 8192)\n#9 \/www\/htdocs\/lib\/private\/legacy\/files.php(305): OC\\Files\\View->readfile('\/Test Ergeb...')\n#10 \/www\/htdocs\/lib\/private\/legacy\/files.php(120): OC_Files::getSingleFile(Object(OC\\Files\\View), '\/Test Ergeb...', 'test.txt', Array)\n#11 \/www\/htdocs\/apps\/files_sharing\/lib\/Controller\/ShareController.php(529): OC_Files::get('\/Test Ergeb...', 'test.txt', Array)\n#12 [internal function]: OCA\\Files_Sharing\\Controller\\ShareController->downloadShare('8IK7S4hWMopAhKX', 'test.txt', '\/', 'tok4w7asw6ph')\n#13 \/www\/htdocs\/lib\/private\/AppFramework\/Http\/Dispatcher.php(160): call_user_func_array(Array, Array)\n#14 \/www\/htdocs\/lib\/private\/AppFramework\/Http\/Dispatcher.php(90): OC\\AppFramework\\Http\\Dispatcher->executeController(Object(OCA\\Files_Sharing\\Controller\\ShareController), 'downloadShare')\n#15 \/www\/htdocs\/lib\/private\/AppFramework\/App.php(114): OC\\AppFramework\\Http\\Dispatcher->dispatch(Object(OCA\\Files_Sharing\\Controller\\ShareController), 'downloadShare')\n#16 \/www\/htdocs\/lib\/public\/AppFramework\/App.php(136): OC\\AppFramework\\App::main('ShareController', 'downloadShare', Object(OC\\AppFramework\\DependencyInjection\\DIContainer))\n#17 \/www\/htdocs\/core\/routes.php(99): OCP\\AppFramework\\App->dispatch('ShareController', 'downloadShare')\n#18 [internal function]: OC\\Route\\Router->{closure}(Array)\n#19 \/www\/htdocs\/lib\/private\/Route\/Router.php(299): call_user_func(Object(Closure), Array)\n#20 \/www\/htdocs\/lib\/base.php(1010): OC\\Route\\Router->match('\/s\/8IK7S4hWMopA...')\n#21 \/www\/htdocs\/index.php(40): OC::handleRequest()\n#22 {main}","File":"\/www\/htdocs\/apps\/encryption\/lib\/Crypto\/Crypt.php","Line":484}

[js94x]

@MorrisJobke @schiessle
I would appreciate it if you could prioritize this issue. This behavior is still reproducable with a newly installed instance (v11.0.3).

UPDATE:
Problem isn´t reproducable with Nextcloud 12

[JB1985]

@js94x thanks for your Update!

I have updated to Nextcloud 12 and the bug is fixed in nc12.

[schiessle]

We had two fixes with encryption regarding public links:

• one affected share by mails (if you enter a email address to the share dialog and send a personalized link): [stable11] take share by mail into consideration if we calculate the access list #4242
• one affected encrytion with the master key: [stable11] Make public links work with master key  #4207

both where backported to stable11 and released with Nextcloud 11. If you still have the problem with Nextcloud 11 I need a detailed description:

• How was the link share created (share by mail or normal link share)?
• What permissions?
• Do you use the master key?
• What Nextcloud version?

If I have this information I can try to reproduce it and see if we missed a backport.

[mrkskwsnck]

@schiessle As for me it was a normal link share with permissions set to upload only. But how do I know if I am using a master key, sorry?

[schiessle]

@mrkskwsnck you don't use the master key if you just enabled it in the admin settings and the "default encryption app". The master key needs to be enabled with occ: ./occ encryption:enable-master-key

What Nextcloud version do you use?

[mrkskwsnck]

@schiessle I am running the Nextcloud Box with a set up Nextcloud as snap with version 11.0.3 because there still is no NC12 snap available.

In fact I set up encryption using the default encryption module without setting an explicit master key.

[ggeorgg]

Nextcloud 11.0.3 (stable)
Default encryption module
normal link share
permissions: read and upload
I have set a master recovery key in the backend to be able to restore user data if they lost their password.

[js94x]

@schiessle:
Install Nextcloud 11.0.3, login with admin, enable default encryption module, enable server side encryption, re-login to initialize keys, set global recovery key, enable password recovery for user admin, create directory, share it via link (Permissions: read and upload), copy link to clipboard
Important: open another browser (or delete cookies ;) ), upload a test file, download the test file.

The download seems to be successful, but the file content is invalid. There is a html page with error message 'Bad Signature'.

Hope you can reproduce it.

[schiessle]

Thanks @ggeorgg and @js94x now I can reproduce it. I will debug it and keep you updated

[schiessle]

OK, I found two issues. One is that we don't encrypt the file with the recovery key, this will be fixed here: #5629

But the real reason why you can't read the file uploaded via a public link is because we write in the file cache "0" to the "encrypted" column while "1" would be the right value. The strange thing is that we execute the exact same code path like we did for uploads done by a logged in user and there it works.

This is the point in the code where we set "encrypted" to "1" after the upload: https://github.com/nextcloud/server/blob/stable11/apps/encryption/lib/KeyManager.php#L464 But for some reasons at the end "0" is stored at the file cache. The complete code path within encryption didn't changed between stable11, stable12 and master. But the problem only appears with stable11. @icewind1991 are you aware of any change on the file cache which could have solved the problem for Nextcloud >11? Anything we could backport? Maybe you can have a look, Thanks!

[schiessle]

Closed as this is fixed for Nextcloud >=12 and Nextcloud 11 is no longer supported