Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

(Unencrypted?) sqlcipher key not found in Signal config file #133

Open
pro-sumer opened this issue Jul 26, 2024 · 30 comments
Open

(Unencrypted?) sqlcipher key not found in Signal config file #133

pro-sumer opened this issue Jul 26, 2024 · 30 comments

Comments

@pro-sumer
Copy link

Desktop:

  • OS and version: macOS Sonoma 14.5
  • Terminal/shell used: iTerm 2 3.5.3, zsh 5.9

Describe the bug

KeyError: 'key'

for this fragment:

│    75 │   # Read sqlcipher key from Signal config file                                           │
│    76 │   if source.is_file():                                                                   │
│    77 │   │   with open(source, encoding="utf-8") as conf:                                       │
│ ❱  78 │   │   │   key = json.loads(conf.read())["key"]                                           │
│    79 │   else:                                                                                  │
│    80 │   │   secho(f"Error: {source} not found in directory {src}")                             │
│    81 │   │   raise Exit(code=1)

That error seems correct, as this is the entire contents of ~/Library/Application Support/Signal/config.json:

{
  "encryptedKey": "..."
}

Probably related to this?

https://www.bleepingcomputer.com/news/security/signal-downplays-encryption-key-flaw-fixes-it-after-x-drama/

To reproduce
Steps to reproduce the behavior. Please include the exact commands tried.

  1. sigexport --no-use-docker output
@huyz
Copy link

huyz commented Jul 26, 2024

Uh oh, has it happened yet? I was wondering when this would break due to Elon lol

@carderne
Copy link
Owner

Thanks for sharing the link, useful read!

Here's a relevant issue:
signalapp/Signal-Desktop#6944

Seems like we can get temporarily get around this by just using that key directly? Or maybe not, will need to do some experimenting.

Can't promise I'll get to this very quickly, and it's possible this will ultimately require much more work to keep this tool working... Maybe Signal will finally create their own backup solution now...

@carderne
Copy link
Owner

Tried just using encryptedKey but that doesn't solve it (I thought from a brief skim that they might just be temporarily storing the regular key under that name).

Seems like this will need a bigger fix.

README updated to indicate that this tool won't work until this is fixed.

@pro-sumer
Copy link
Author

This issue (and the corresponding commit) may help:

tbvdm/sigtop#48

(Explains how to get the unencrypted key)

PS: Have not tried it myself (yet)

@carderne
Copy link
Owner

People reading this thread:
How important is it for signal-export to continue to exist, given that sigtop also exists? Does signal-export have some important features that the other tool lacks?

Will be happy to get this working but also happy to just point people to an alternative if it’s just as good/better. The fact that it’s written in Go (and not dependent on pysqlcipher) seems like it should make installation a lot easier for most people.

@pro-sumer
Copy link
Author

pro-sumer commented Jul 28, 2024

tbvdm/sigtop#48

Workaround using that info (on macOS):

  1. Run security find-generic-password -ws "Signal Safe Storage" to get the password
  2. Put that on line 15 of the POC (mentioned there) and run that script
  3. Copy the output (without the prefix 0x) and put it as the value for key key in Signal's config.json
  4. sigexport works again 🎉

Important note: storing the password/key on your filesystem is unsafe!

I suggest using 1Password's CLI inject command instead.

@lisdude
Copy link

lisdude commented Jul 28, 2024

People reading this thread: How important is it for signal-export to continue to exist, given that sigtop also exists? Does signal-export have some important features that the other tool lacks?

I just casually tried sigtop, so I'm no expert, but the things I immediately noticed:

  • It doesn't seem to do HTML output. (And, as such, has no paginated output option.)
  • It doesn't do markdown output. (So no inline images.)
  • It doesn't keep track of attachments. In the output text files, attachments are all displayed as [1 attachment] making it impossible to know what the file actually was for any given message.

@huyz
Copy link

huyz commented Jul 28, 2024

@carderne I'm happy with signal-export. Not looking to move to anything else if I can help it.

@huyz
Copy link

huyz commented Jul 28, 2024

@pro-sumer Thanks, that worked for me. Back in business.

Btw, for that POC, you'll need to pip install pycryptodome

@carderne
Copy link
Owner

Ok will incorporate that POC into signal-export when I have a bit of time.

@carderne
Copy link
Owner

Decryption should now work automatically on macOS. You'll be prompted by the security tool to enter your password.

If anyone shares the equivalent for Linux/WSL I can add that too.

Commit: f3c6e18

Release: v2.4.0

@huyz
Copy link

huyz commented Jul 29, 2024

@carderne thanks so much man!

@maxhbr
Copy link

maxhbr commented Aug 5, 2024

People reading this thread:
How important is it for signal-export to continue to exist, given that sigtop also exists? Does signal-export have some important features that the other tool lacks?

I built something that is fun for me based on that tool (I generate a book out of the conversation that I had with one person) and I am already very thankful that the tool worked until now. Thanks a lot for it!

Right now I am trying to package v3.0.1 for Nix in the hope to get it working again.

@carderne
Copy link
Owner

carderne commented Aug 5, 2024

Should be working fine on Linux and macOS. Not likely to put the effort in for Windows any time soon. (But I can give pointers for anyone who’d like to contribute!)

@ProactiveServices
Copy link

People reading this thread: How important is it for signal-export to continue to exist, given that sigtop also exists? Does signal-export have some important features that the other tool lacks?

Will be happy to get this working but also happy to just point people to an alternative if it’s just as good/better. The fact that it’s written in Go (and not dependent on pysqlcipher) seems like it should make installation a lot easier for most people.

Installation of sigexport here was really easy on Linux. If you're game to keep this working I'm happy to stick with it :-)

@yelworc
Copy link

yelworc commented Aug 10, 2024

Many thanks for maintaining this, @carderne! I'm definitely happy this tool exists, and using it on a regular basis 🙂

The export is working for me with v3.0.2 on Debian 11, as far as text messages are concerned (maybe helpful for others: libsecret-tools is the apt package that contains secret-tool).

Is the key unlocked via --password used while decrypting media files as well? These files are exported with plausible-looking file sizes here, but they all seem to consist of random garbage data.

@carderne
Copy link
Owner

@yelworc
Oh damn... didn't even realise the media files were also encryped, unless that was a subsequent change...

Will need to figure out how to decrypt them.

@carderne
Copy link
Owner

Seems relatively straightforward:
https://github.com/tbvdm/sigtop/blob/2b9a0f94a6fc481434a8b7c95df019acbe06520f/signal/attachment.go#L120

@jathri
Copy link

jathri commented Aug 11, 2024

Hello, will this work using Ubuntu (or other linux) subsystem in windows?

@carderne
Copy link
Owner

@jathri I'm honestly not sure how the secret is stored on WSL... since there's no Gnome there's probably no Gnome keychain stuff. You might be better off trying sigtop.

@carderne
Copy link
Owner

@yelworc
Decrypting files is now supported via commit 3111deb released in v3.1.0

@outpoints
Copy link

Is there any way to migrate a Signal install from one machine to another using this tool?
I had to decrypt the database last time I moved from Windows to Arch.

@carderne
Copy link
Owner

@outpoints please start a new thread if you have a separate issue. But to answer your question no this tool wouldn’t help in its current form.

@yelworc
Copy link

yelworc commented Aug 17, 2024

Decrypting files is now supported via commit 3111deb released in v3.1.0

@carderne awesome! Confirming: Worked without a hitch for my ~6.5GB archive with lots of files in 1:1 chats and groups over multiple years. Let me buy you a beer (or tea 🙂)!

@ExecutiveCodingProducer

How important is it for signal-export to continue to exist, given that sigtop also exists? Does signal-export have some important features that the other tool lacks?

I really appreciate your work, sigexport has been a great tool for me during the past months. Given the issues about sigtop which have been pointed out by @lisdude I would be happy if you will continue the work on sigexport.

@belamu
Copy link

belamu commented Oct 8, 2024

@yelworc Decrypting files is now supported via commit 3111deb released in v3.1.0

Thanks a lot!
I could not figure out how to decrypt the key though.
I am on KDE Fedora. There are commands called secret-tool, kwallet-query, kwalletd6, kwalletmanager5 but non contained a suitable information about Signal.
In case you know a general way that works for Electron on all platforms, that would be great to include in the error message about the encrypted key.

Update 1:
in the config.json it includes the information "safeStorageBackend": "kwallet6"

Update 2:
I installed sigtop, ran the sigtop export-key command, got a key that I than found in the KWalletManager under Chromium Keys > Passwords > Chromium Safe Storage

Update 3: I was able to retrieve this key also programmatically with the command kwallet-query kdewallet -f 'Chromium Keys' -r 'Chromium Safe Storage'

So my entire backup command (with snap installation) is

sigexport --source "${HOME}"/snap/signal-desktop/current/.config/Signal/ "${EXPORTDIR}" --paginate 0 --password="$(kwallet-query kdewallet -f 'Chromium Keys' -r 'Chromium Safe Storage')"

@carderne
Copy link
Owner

carderne commented Oct 9, 2024

Well done figuring that out. Happy to have a PR to the README if you think you can describe relatively repeatable steps to use on KDE...

@jathri
Copy link

jathri commented Oct 14, 2024

Yet another alternative (only thing that currently works for me):
https://github.com/bepaald/signalbackup-tools

Very nice html export (from android backup file).

@coppolab
Copy link

People reading this thread: How important is it for signal-export to continue to exist, given that sigtop also exists?

Definitely and happily using signal-export on Mac/iPhone, I recommend keeping the project going!

@belamu
Copy link

belamu commented Nov 26, 2024

The original issue is solved as far I see it. So I propose to close the issue.
Or is it open due to media files? I didn't notice it at least.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests