Signal encryption keyring changed from gnome_libsecret to basic_text #753
Comments
|
Same just started happening for me, also on Fedora 40 |
|
Can confirm, I updated and got this error.
Running from terminal with that flag then leads this this:
Workaround / fix:Open Flatseal, navigate to Signal, scroll down to "session bus", remove "org.freedesktop.secrets". Close, then reopen. You will need to relink your device, but it should now work.
|
|
Use flatseal to set the env var SIGNAL_PASSWORD_STORE to gnome-libsecret |
|
@bermeitinger-b Not working here, every startup Signal tells me DB is broken. |
I can do that and delete my database, but I'm trying to find a way of not needing to delete my database. |
|
Having the same issue. Debian stable bookworm here with flatpak 1.14.10 from debian repo. there was no need to delete anything, just worked again. A short grep in signals flatpak directory |
To set it permanently for your user, set flatpak override org.signal.Signal --user --env=SIGNAL_PASSWORD_STORE=gnome-libsecret |
|
I have tried to assemble troubleshooting instructions in one place here: https://community.signalusers.org/t/warning-do-not-update-from-flathub-database-error/63222#p-251892-database-error-keyring-backend-has-changed-5 If anyone needs help, please ask in that thread rather than on github. |
The tutoral instructs to use:
which did not return anything to me. However, browsing with Seahorse I have found an entry that had no label at all but had
revealed that the entry was created on Sept 26th 2024 so it's not some old leftover. How can I make signal use this one and try to recover using it? My |
|
I have that entry in my keystore as well. I'm not sure where it came from. I can only get Signal to launch with gnome-libsecret when the keyring entry is in a Chromium Safe Storage entry with the application set to Signal. I am generating the entry with a script in Electron Fiddle: |
|
had to set SIGNAL_PASSWORD_STORE=basic and restore a config.json backup with the unencrypted key. if i leave SIGNAL_PASSWORD_STORE=gmome-libsecret, it encrypts the key at start in the config.json but doesn't put it into the system keyring. what a royal mess for people without a backup of a supposed to be stateless application |
fastest solution |
On a Debian install from the .deb, the key written is called "Chromium Safe Storage" and the attribute is application: Signal, so that's probably the correct key. |
Try testing If you previously had |
I just tested the PR build and it still won't allow me to get back to my old database despite switching to gnome-libsecret, it prompts me to delete it and restart the application. Is that expected? Should I just do that or is there a chance that there will be a fix that will allow me to go back to my messages/media? |
|
I managed to resolve this due to finding an unintentional backup of my config file located at ~/.config/Signal/config.json from when I used to use a non-flatpak version of Signal, whereas my current config file (which only conatined the encrypted key) is located at ~/.var/app/org.signal.Signal/config/Signal/config.json. This may be helpful to anyone who previously used a non-flatpak signal package before switching to flatkpak, or vice versa, due to different package formats using different config file paths. |
I had same issue on Linux Mint 22, luckily i could restore config.json from daily timeshift backup and switch back to basic password store. |
|
Fedora 40. Got this error this morning. Tried the above solutions (flatseal, flatpak override...), but nothing works. I get the following "A database error occurred". |
@hotrooibos you probably are facing this issue #723. You can look at these instructions to try and fix the problem: https://community.signalusers.org/t/warning-do-not-update-from-flathub-database-error/63222#p-251892-database-error-a-database-error-has-occurred-6 . |
I only get this once I change the SIGNAL_PASSWORD_STORE variable (either with the above command line, or through flatseal) to gnome-libsecret. If I revert it to basic, I'm back with the current issue. Since I've never installed a non-flatpak version of Signal, I guess my local data is now lost. |
The default has been set to basic, because of issues with gnome-libsecret. You need to leave it on basic for now, and if you have a backup of the Signal config previous to the current bug, you will be able to recover the data like explained in the recovery guide I linked to. |
This seemed to solve the problem for me, although I get an alert next to the value suggesting something is wrong. |
|
This yellow exclamation mark tells you that this value was changed from the default. |
Thank you for the solution and the lesson! |
|
Nothing worked for me, don't have time to dig for this problem for now, any short answer (flatseal didnt work on latest mint) with resteing also ? Thanks |
|
Remove your config, and start with a new database. |
|
I don't want to remove my bueatiful Mint configuration, nore my grpahic card ^^ |
Either via |
|
Same issue on Manjaro. Can someone who knows please confirm this is a bug and not a a feature? Is it something that will be addressed in an update -- or is the "solution" for users to manually enter |
I'm in the exact same situation as this one regarding to not having a No suggested solution makes it possible to run Signal on my end (changing the password store to basic asks me to delete my data). |
|
if someone gives me some clue id be happy to fix this issue. this is starting to prevent me from working. |
This worked to fix the immediate issue, the app now works as it did before. Thanks! |
|
My dad had this issue on his laptop a week ago. I sent him the troubleshooting instructions above. I'm not sure whether he tried it yet. Today after doing updates I got the same error on Fedora 40:
I followed the given instructions but the command I made a backup of the I had to link the laptop again now all conversations are gone. Yay ... 2024, the year of the Linux desktop! 👏👏👏 If anyone finds a solution to bring back my data using the backup or some other hack, let me know. |
|
I'm blaming Signal for this. |
Before resetting Signal, did you try starting with the password store set to gnome-libsecret? It's odd that your install would break this late, please post the output of |
I did I restored the backup now and tried this:
Now I get the error message telling me to contact Signal support:
That's probably because there is no key in the keystore, like I confirmed before using So I probably have to delete the Signal folder and all my messages again to get a working Signal desktop client? EDIT: Forgot the flatpak info output |
|
The update that causes the database to become unreadable hasn't been live for some time. I assume you launched Signal maybe once in the past week, or kept it running for a long time? Otherwise, yes, if the Signal entry is not in the keyring, and you don't have a config.json with the unencrypted key in it, you will need to start fresh without the conversation history. |
I kept it running for like three weeks. Today I updated the kernel and did a reboot and the issue showed up. My dad got the issue last week. I hope he has a Signal entry in his keyring because if I'm going to delete his Signal messages, he's probably never going to do an update on his laptop again. |
You can blame Signal for building their desktop app on Electron. You can blame Electron for relying on Chromium to render an app's front-end. And finally, you can blame Chromium for implementing the "wrong" libsecret API – and causing this whole mess. 😉 |
|
for me, i had to set SIGNAL_PASSWORD_STORE to basic and restore my config.json from a point in time where the key was unencrypted. then everything resumed to normal. |
despite the fact that this is free software and we have very little ground to complain or blame at all, i think it would have been in Signal's responsibility to test properly and frequently and work around/handle errors like that. if their framework breaks, it is still them building on it and since no end user has the choise of changing the framework, imho it would've been Signals responsibility to take action accordingly. imagine if something similar would have happened on windows, let alone android or iOS - Signal would be royally f**** by the sh*tstorm. they're just lucky, that the Linux desktop user base isn't that big. |
Ask him to run That should give you all the info you need to know if he has the bad update or not. If his key is already encrypted but Signal is still running, the key must be floating around somewhere in RAM, but I couldn't tell you how to get at it. |
|
The issue was not with Signal, who tested the update and as far as I know have not caused anything to break. The database issues are only present in the flatpak build (which is managed by volunteers) that got pushed to flathub. Maybe the snap build as well. salim-b tactfully left out a step. The broken update was merged to master almost immediately, which automatically pushes the update to flathub. There was only a window of about three hours where the change could be tested. The issue was reported just four hours later, but went basically ignored, and the broken commit was not reverted for two days. (edited for accuracy) This is fundamentally an issue with flathub, where changes can be merged very easily by whoever manages a package. Distro repositories usually have a slightly more involved process. For instance Fedora uses a karma system to determine whether updates can be published to stable or not. |
Fair. Merging #729 without more testing was a failure in hindsight. I guess the people involved felt some kind of urgency to act due to the accompanying media reports / social media drama.
Yeah, OTOH official distro packages are almost always horribly out-of-date and Flatpak and Flathub provide the right technology/infrastructure to overcome the Linux desktop app packaging fragmentation. IMHO, the real solution to the problem here would be Signal Foundation taking over maintainership of this Flatpak. |
|
I've been monitoring this issue since it happened to me. Regardless of the technicalities I mostly agree with the opinions recently expressed. Potentially losing all messages on a device is not good.
This is the kind of cynical sarcasm I enjoy and would have posted a similar message if I was feeling spicy. This is a bad look for Signal/Linux.
Yep would have probably lost users
Yes, it's cool that Signal is free. Signal is also free on iOS, MacOS, Windows, and Android. There are also a number of free alternatives that people might go to. It's already hard enough to convince people to switch to Signal. I recognize maintainers are probably frustrated that it happened and that people are piling on. If there's a postmortem I hope emotions can be left at the door and feedback like this will be considered. I'm a software developer, what can I do to help? Is it possible for people to donate to directly fund prevention of this in the future like adding tests etc ? |
PRs to this Flatpak are welcome AFAICT, so feel free to help out with this! I suppose it is quite a challenge to implement pairing of Signal Desktop with a main Signal app instance (Android/iOS; using some test account) in CI. And way too much to ask of volunteers IMHO.
That's the exact opposite of a solution to the packaging burden problem (and obviously would only work for Fedora users). See e.g. signalapp/Signal-Desktop#1630, you're not the first person requesting packaging for their favorite distro. |
|
Please keep this thread about the key storage and probable recovery issues. Or ideas on how to migrate moving forwards. |
|
I found a config.json with an encrypted key in my backup. Does this mean I can restore my messages somehow? {
"mediaPermissions": true,
"mediaCameraPermissions": true,
"encryptedKey": "<REDACTED>",
"safeStorageBackend": "gnome_libsecret"
} |
no, you need the unencrypted key version of the file, as i've stated earlier. |
Is there no way to just look at the existing entry without creating a new one? Or just decrypt it to switch back to the normal encryption? |
|
It is possible, but the surrounding Flatpak framework would not be responsible. It might be possible in Signal's code or any other layer between Signal and Flatpak that interacts with the keyring (Electron, Chromium, etc.). I would not dare introduce logic that checks all keyring entries—imagine the headline: Signal reads all your passwords. |
It has nothing to do with "the (year of the) Linux desktop" (which has been here for 10+ years), and everything to do with "3rd party |
|
Please stay on topic and leave angry and troll messages to yourself. This is not the right place. |
Signal was responsible for creating that entry, right? Why not some logic that only searches for that entry in particular? Anyways, it's probably not worth the effort but it'd be worthwhile for those stuck in this weird state to have a manual script like @minosimo created above (but to the effect of switching back to basic rather than creating a new keyring entry with the right label) |
|
I tried to pipe the existing entry password to a new one with the right $ secret-tool lookup app_id org.signal.Signal | secret-tool store --label='Chromium Safe Storage' application Signal
secret-tool: password not valid UTF-8 |
and others
For some reason, despite not having made any major updates on my OS (Fedora Workstation 40), I now get this message when trying to open Signal:
Database startup error:
Any idea why this is happening? I've tried opening signal through the terminal with --password-store=gnome-libsecret and --password-store=basic-text. Passing gnome-libsecret as the argument for the command gives me a similar error, but it gives me the option of deleting the database and restarting signal, which I don't want to have to resort to.
The text was updated successfully, but these errors were encountered: