Signature check during encryption / decryption

Hey guys,

according to Decrypt My Files it seems to possible to disable the signature check during encryption / decryption in case of missing, corrupt database.

Disabling signature check does not work for me. A added “return true” as you mentioned. Than I get a “Missing signature” from hassignature-function. Therefore I added an “return false” and now decryption failed with “Encryption library: Decryption (symmetric) of content failed”.

Do you have any hints to decrypt files without (correct) signature from the database?

Anyhow it would be great to store the signature check not in database (maybe direct in filesystem?) or disabling the feature because its not that robust e.g. if you move files from an external storage not within nextcloud.

Thank you!

Having the same issue when disabling the signature check. @bjoern is there anything else we have to do?

@Tilo The reason why turning off the signature check doesn’t work, is that the server reports a different filesize to the client and breaks off the download too early. The client therefore thinks that the connection was lost and reports an error. But the files is already downloaded successfully (f.e. in Chrome you just have to remove .crdownload at the end of the downloaded file). I have written a small Python 3 script that can download the files via WebDav. It is a dirty hack, but at least I can recover my files.

You can find the script including an explanation in my gitea repository:

(Sorry for repeating this post so often, but there are many forum entries and issues that people looking for a solution might find via Google :slight_smile:)
After checking the downloads I discovered that while the JPEGs open without any problem my RAW files didn’t. Looking closer at the JPEGs I could see that in the last pixel line there were some blocks missing. So the download wasn’t finished. Following up on the error message that gets displayed in Nextcloud in the hasSignature() call of splitMetaData() I discovered that the encrypted data field was empty and therefore there can’t be a signature in the file. To bypass this I have added following if clause into the function symmetricDecryptFileContent() in apps/encryption/lib/Crypto/Crypt.php:

            if ($keyFileContents == '') {
                    return '';

I have put this code as the first command in the symmetricDecryptFileContent(). Together with disabling the signature check (putting return true; in the checkSignature() function in the same file):

    private function checkSignature($data, $passPhrase, $expectedSignature) {
            $signature = $this->createSignature($data, $passPhrase);
            if (!hash_equals($expectedSignature, $signature)) {
                    return true;
                    throw new GenericEncryptionException('Bad Signature', $this->l->t('Bad Signature'));

I can now see the previews in the web interface and download all files decrypted and even download the folders as zip-files. My script is not necessary anymore :slight_smile:

Have you been able to decrypt your files? If not: We’ve written a tool that allows you to decrypt individual files if you still have your Nextcloud data directory and configuration file. It supports master key encrypted files, user key encrypted files (you additionally need the user passwords) and recovery key encrypted files (you additionally need the recovery password): decrypt-file.php