Bad signature Error when importing files from Google / Onedrive using Nextcloud app

Nextcloud version (eg, 20.0.5): 22.2.0
Operating system and version (eg, Ubuntu 20.04): Ubuntu 20.04
Apache or nginx version (eg, Apache 2.4.25): 2.4.x
PHP version (eg, 7.4): 7.3

The issue you are facing:
When using the Google Integration App (or the one for Onedrive) to migrate data to nextcloud, all migrated data will become inaccesible with the error “bad signature”.
Opening the files using an editor reveals that for some reason they are already encrypted using the default encryption module but it doesnt work at all.

Did some searching and found out its related to the encryption (as usual everything breaks if you wanna be secure -.-) and that you can disable the signature check (not recommended at all tho). Now even after doing that I had no success loading the files. This time The error says “Empty string or invalid image” which I can confirm when looking at raw data. An imported document is now just “111111111” (idk if thats really better than no document at all bc it doesnt load). Anyone can tell me what im supposed to do?

Is this the first time you’ve seen this error? (Y/N): Yes, and hopefully the last time as well

Steps to replicate it:

  1. Install Google / OneDrive Integration
  2. Enable Server-side encryption
  3. Import data
  4. Be sad because it doesn’t open

The output of your Nextcloud log in Admin > Logging:

About 5k times the same line:

[webdav] Fatal: Bad Signature

GET /remote.php/dav/files/Clara/OneDrive%20import/Rechnungen/Rechnung_VK_2020_11091.pdf
from [My lovely IP] by Clara at 2021-10-21T09:41:52+00:00

One full error:
{"reqId":"EfbpYK01O8JyhxnMut7U","level":3,"time":"2021-10-21T16:15:14+00:00","remoteAddr":"","user":"--","app":"core","method":"","url":"--","message":"Error while running background job (class: OCA\\Maps\\BackgroundJob\\UpdatePhotoByFileJob, arguments: Array\n(\n    [fileId] => 67815\n    [userId] => Clara\n)\n)","userAgent":"--","version":"","exception":{"Exception":"OCP\\Encryption\\Exceptions\\GenericEncryptionException","Message":"Bad Signature","Code":0,"Trace":[{"file":"/var/www/nextcloud/apps/encryption/lib/Crypto/Crypt.php","line":470,"function":"checkSignature","class":"OCA\\Encryption\\Crypto\\Crypt","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/nextcloud/apps/encryption/lib/Crypto/Encryption.php","line":377,"function":"symmetricDecryptFileContent","class":"OCA\\Encryption\\Crypto\\Crypt","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/nextcloud/lib/private/Files/Stream/Encryption.php","line":519,"function":"decrypt","class":"OCA\\Encryption\\Crypto\\Encryption","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/nextcloud/lib/private/Files/Stream/Encryption.php","line":317,"function":"readCache","class":"OC\\Files\\Stream\\Encryption","type":"->"},{"function":"stream_read","class":"OC\\Files\\Stream\\Encryption","type":"->"},{"file":"/var/www/nextcloud/lib/private/legacy/OC_Helper.php","line":259,"function":"fread"},{"file":"/var/www/nextcloud/lib/private/Files/Storage/LocalTempFileTrait.php","line":76,"function":"streamCopy","class":"OC_Helper","type":"::"},{"file":"/var/www/nextcloud/lib/private/Files/Storage/LocalTempFileTrait.php","line":48,"function":"toTmpFile","class":"OC\\Files\\Storage\\Wrapper\\Encryption","type":"->"},{"file":"/var/www/nextcloud/lib/private/Files/Storage/Wrapper/Encryption.php","line":787,"function":"getCachedFile","class":"OC\\Files\\Storage\\Wrapper\\Encryption","type":"->"},{"file":"/var/www/nextcloud/lib/private/Files/Storage/Wrapper/Wrapper.php","line":367,"function":"getLocalFile","class":"OC\\Files\\Storage\\Wrapper\\Encryption","type":"->"},{"file":"/var/www/nextcloud/apps/maps/lib/Service/PhotofilesService.php","line":377,"function":"getLocalFile","class":"OC\\Files\\Storage\\Wrapper\\Wrapper","type":"->"},{"file":"/var/www/nextcloud/apps/maps/lib/Service/PhotofilesService.php","line":137,"function":"getExif","class":"OCA\\Maps\\Service\\PhotofilesService","type":"->"},{"file":"/var/www/nextcloud/apps/maps/lib/BackgroundJob/UpdatePhotoByFileJob.php","line":56,"function":"updateByFileNow","class":"OCA\\Maps\\Service\\PhotofilesService","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/nextcloud/lib/public/BackgroundJob/Job.php","line":79,"function":"run","class":"OCA\\Maps\\BackgroundJob\\UpdatePhotoByFileJob","type":"->"},{"file":"/var/www/nextcloud/lib/public/BackgroundJob/QueuedJob.php","line":47,"function":"execute","class":"OCP\\BackgroundJob\\Job","type":"->"},{"file":"/var/www/nextcloud/cron.php","line":127,"function":"execute","class":"OCP\\BackgroundJob\\QueuedJob","type":"->"}],"File":"/var/www/nextcloud/apps/encryption/lib/Crypto/Crypt.php","Line":495,"Hint":"Bad Signature","CustomMessage":"Error while running background job (class: OCA\\Maps\\BackgroundJob\\UpdatePhotoByFileJob, arguments: Array\n(\n    [fileId] => 67815\n    [userId] => Clara\n)\n)"},"id":"617196d2edaa2"}

The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):

$CONFIG = array (
  'instanceid' => 'idk if I should keep this or not.',
  'passwordsalt' => 'passwordsugar - lol',
  'secret' => 'shhh dont tell anyone',
  'trusted_domains' => 
  array (
    0 => '',
  'datadirectory' => '/var/www/nextcloud-data/',
  'dbtype' => 'mysql',
  'version' => '',
  'overwrite.cli.url' => '',
  'dbname' => 'nextcloud',
  'dbhost' => 'localhost',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 'cool name',
  'dbpassword' => 'cool password as well',
  'installed' => true,
  'memcache.distributed' => '\\OC\\Memcache\\Redis',
  'memcache.local' => '\\OC\\Memcache\\Redis',
  'memcache.locking' => '\\OC\\Memcache\\Redis',
  'htaccess.RewriteBase' => '/',
  'default_phone_region' => 'DE',
  'auth.webauthn.enabled' => false,
  'enable_previews' => true,
  'enabledPreviewProviders' => 
  array (
    0 => 'OC\\Preview\\Image',
    1 => 'OC\\Preview\\Movie',
    2 => 'OC\\Preview\\TXT',
    3 => 'OC\\Preview\\MP3',
    4 => 'OC\\Preview\\MKV',
    5 => 'OC\\Preview\\MP4',
    6 => 'OC\\Preview\\AVI',
  'app_install_overwrite' => 
  array (
    1 => 'drop_account',
    2 => 'socialsharing_email',
    3 => 'socialsharing_facebook',
    4 => 'socialsharing_twitter',
    5 => 'socialsharing_diaspora',
    6 => 'hsts',
    7 => 'ocsms',
  'maintenance' => false,
  'path' => '',
  'ncd_yt_binary' => '/usr/local/bin/youtube-dl',
  'ncd_aria2_binary' => '/usr/bin/aria2c',
  'loglevel' => 2,
  'knowledgebaseenabled' => false,
  'theme' => '',

The output of your Apache/nginx/system log in /var/log/____:

nothing regarding our issue.

Please help me out here as this instance is used by multiple people that rely on these integrations so that they dont have to manually port gb’s worth of data.

Server-side encryption was designed for external storage. Enabling server-side encryption and then copy data from external to local storage doesn’t make a lot of sense. On local storage there is not the same degree of protection by this encryption solution and you have all the drawbacks of more complicated code that can fail.

Now the document being all 1, meaning the encryption got completely wrong? If it was just the signature, there are some troubles if you want to restore files without the database being from the same time as the file and key, there have been scripts to decrypt such files ignoring just the signature.

Problem here is, that the migration apps are not very often used, and those who use it usually use it once. Combined with the encryption app, adding more complexity, it’s hard to tell what’s going wrong. I’d separate those things.

In a perfect world, it should all work, but seeing the number of unresolved problems regarding encryption, don’t expect that some developer debugs this instantly for you. If you are a company with Nextcloud enterprise subscription and you want to migrate everything from google/onedrive/dropbox/etc. to Nextcloud, this might be different.

1 Like

Thanks for your answer.

I wasn’t aware of server-side encryption mainly being designed for external storage. So, I could just disable Home storage encryption, I guess? Will that work fine now that encrypted files already exist? WIll it just… not encrypt from now and use the encryption keys for the old files or decrypt them?

In theory yes, there is an option to decrypt. There were some reports that it might not work in all cases. So I would double check: first on the oc_filecache table, there is a field for the encryption status, so check if that changed after decrypting. Then check a few files. If you want to check everything, there is a header in each encrypted file, so you could write a script to check each file.

@Clara_Crazy , were you able to resolve this? I have the same issue. Originally setup server with server side encryption AND encrypt home storage enabled. Just tried importing photos from Google and cannot open any of them.


Yeah, decrypting worked perfectly fine. importing from google still is a bit of a gamble but thats due to the app. You might have to re-install the app.

Make a backup before decrypting tho in case anything fails!!!

Thanks @Clara_Crazy , I have a few follow up questions. Did you delete the Google folder and contents that was unreadable before you decrypted?
Also I am unclear on the two encryption settings. There is “enable server side encryption” and Default Encryption Mode “encrypt home storage”. I have both of these on. Everything I have read on decrypting and turning it off doesn’t make a distinction about these settings. Should I turn off the home storage encryption through the UI (you can deselect the checkbox), or just do everything from the command line? Are these the commands you ran, in what order?

occ encryption:decrypt-all [username]

occ encryption:disable