Linux: Detect changes in safeStorage backend
Co-authored-by: Fedor Indutny <79877362+indutny-signal@users.noreply.github.com>
This commit is contained in:
parent
233a18bc81
commit
16864e381a
4 changed files with 107 additions and 10 deletions
|
@ -131,6 +131,14 @@
|
||||||
"messageformat": "Recover data",
|
"messageformat": "Recover data",
|
||||||
"description": "(Deleted 2024/07/11) Text of a button shown in a popup if the database cannot start up properly; allows user to attempt data recovery of their database"
|
"description": "(Deleted 2024/07/11) Text of a button shown in a popup if the database cannot start up properly; allows user to attempt data recovery of their database"
|
||||||
},
|
},
|
||||||
|
"icu:databaseError__safeStorageBackendChange": {
|
||||||
|
"messageformat": "Unable to access the database encryption key because the OS encryption keyring backend has changed from {previousBackend} to {currentBackend}. This can occur if the desktop environment changes, for example between GNOME and KDE.\n\nPlease switch to the previous desktop environment.",
|
||||||
|
"description": "On Linux, text in a popup shown if the app cannot start because the system's keyring encryption backend has changed. Example values: previousBackend=gnome_libsecret, currentBackend=kwallet5"
|
||||||
|
},
|
||||||
|
"icu:databaseError__safeStorageBackendChangeWithPreviousFlag": {
|
||||||
|
"messageformat": "Unable to access the database encryption key because the OS encryption keyring backend has changed from {previousBackend} to {currentBackend}. This can occur if the desktop environment changes, for example between GNOME and KDE.\n\nPlease switch to the previous desktop environment or try to run signal with the command line flag --password-store=\"{previousBackendFlag}\"",
|
||||||
|
"description": "On Linux, text in a popup shown if the app cannot start because the system's keyring encryption backend has changed. We suggest a command line flag they can use to recover the app. Example values: previousBackend=gnome_libsecret, currentBackend=kwallet5, previousBackendFlag: gnome-libsecret"
|
||||||
|
},
|
||||||
"icu:mainMenuFile": {
|
"icu:mainMenuFile": {
|
||||||
"messageformat": "&File",
|
"messageformat": "&File",
|
||||||
"description": "The label that is used for the File menu in the program main menu. The '&' indicates that the following letter will be used as the keyboard 'shortcut letter' for accessing the menu with the Alt-<letter> combination."
|
"description": "The label that is used for the File menu in the program main menu. The '&' indicates that the following letter will be used as the keyboard 'shortcut letter' for accessing the menu with the Alt-<letter> combination."
|
||||||
|
|
74
app/main.ts
74
app/main.ts
|
@ -122,6 +122,9 @@ import type { ParsedSignalRoute } from '../ts/util/signalRoutes';
|
||||||
import { parseSignalRoute } from '../ts/util/signalRoutes';
|
import { parseSignalRoute } from '../ts/util/signalRoutes';
|
||||||
import * as dns from '../ts/util/dns';
|
import * as dns from '../ts/util/dns';
|
||||||
import { ZoomFactorService } from '../ts/services/ZoomFactorService';
|
import { ZoomFactorService } from '../ts/services/ZoomFactorService';
|
||||||
|
import { SafeStorageBackendChangeError } from '../ts/types/SafeStorageBackendChangeError';
|
||||||
|
import { LINUX_PASSWORD_STORE_FLAGS } from '../ts/util/linuxPasswordStoreFlags';
|
||||||
|
import { getOwn } from '../ts/util/getOwn';
|
||||||
|
|
||||||
const animationSettings = systemPreferences.getAnimationSettings();
|
const animationSettings = systemPreferences.getAnimationSettings();
|
||||||
|
|
||||||
|
@ -1600,7 +1603,7 @@ const runSQLCorruptionHandler = async () => {
|
||||||
`Restarting the application immediately. Error: ${error.message}`
|
`Restarting the application immediately. Error: ${error.message}`
|
||||||
);
|
);
|
||||||
|
|
||||||
await onDatabaseError(Errors.toLogFormat(error));
|
await onDatabaseError(error);
|
||||||
};
|
};
|
||||||
|
|
||||||
const runSQLReadonlyHandler = async () => {
|
const runSQLReadonlyHandler = async () => {
|
||||||
|
@ -1627,12 +1630,35 @@ function generateSQLKey(): string {
|
||||||
|
|
||||||
function getSQLKey(): string {
|
function getSQLKey(): string {
|
||||||
let update = false;
|
let update = false;
|
||||||
|
const isLinux = OS.isLinux();
|
||||||
const legacyKeyValue = userConfig.get('key');
|
const legacyKeyValue = userConfig.get('key');
|
||||||
const modernKeyValue = userConfig.get('encryptedKey');
|
const modernKeyValue = userConfig.get('encryptedKey');
|
||||||
|
const previousBackend = isLinux
|
||||||
|
? userConfig.get('safeStorageBackend')
|
||||||
|
: undefined;
|
||||||
|
|
||||||
|
const safeStorageBackend: string | undefined = isLinux
|
||||||
|
? safeStorage.getSelectedStorageBackend()
|
||||||
|
: undefined;
|
||||||
const isEncryptionAvailable =
|
const isEncryptionAvailable =
|
||||||
safeStorage.isEncryptionAvailable() &&
|
safeStorage.isEncryptionAvailable() &&
|
||||||
(!OS.isLinux() || safeStorage.getSelectedStorageBackend() !== 'basic_text');
|
(!isLinux || safeStorageBackend !== 'basic_text');
|
||||||
|
|
||||||
|
// On Linux the backend can change based on desktop environment and command line flags.
|
||||||
|
// If the backend changes we won't be able to decrypt the key.
|
||||||
|
if (
|
||||||
|
isLinux &&
|
||||||
|
typeof previousBackend === 'string' &&
|
||||||
|
previousBackend !== safeStorageBackend
|
||||||
|
) {
|
||||||
|
console.error(
|
||||||
|
`Detected change in safeStorage backend, can't decrypt DB key (previous: ${previousBackend}, current: ${safeStorageBackend})`
|
||||||
|
);
|
||||||
|
throw new SafeStorageBackendChangeError({
|
||||||
|
currentBackend: String(safeStorageBackend),
|
||||||
|
previousBackend,
|
||||||
|
});
|
||||||
|
}
|
||||||
|
|
||||||
let key: string;
|
let key: string;
|
||||||
if (typeof modernKeyValue === 'string') {
|
if (typeof modernKeyValue === 'string') {
|
||||||
|
@ -1648,6 +1674,13 @@ function getSQLKey(): string {
|
||||||
getLogger().info('getSQLKey: removing legacy key');
|
getLogger().info('getSQLKey: removing legacy key');
|
||||||
userConfig.set('key', undefined);
|
userConfig.set('key', undefined);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (isLinux && previousBackend == null) {
|
||||||
|
getLogger().info(
|
||||||
|
`getSQLKey: saving safeStorageBackend: ${safeStorageBackend}`
|
||||||
|
);
|
||||||
|
userConfig.set('safeStorageBackend', safeStorageBackend);
|
||||||
|
}
|
||||||
} else if (typeof legacyKeyValue === 'string') {
|
} else if (typeof legacyKeyValue === 'string') {
|
||||||
key = legacyKeyValue;
|
key = legacyKeyValue;
|
||||||
update = isEncryptionAvailable;
|
update = isEncryptionAvailable;
|
||||||
|
@ -1671,6 +1704,13 @@ function getSQLKey(): string {
|
||||||
const encrypted = safeStorage.encryptString(key).toString('hex');
|
const encrypted = safeStorage.encryptString(key).toString('hex');
|
||||||
userConfig.set('encryptedKey', encrypted);
|
userConfig.set('encryptedKey', encrypted);
|
||||||
userConfig.set('key', undefined);
|
userConfig.set('key', undefined);
|
||||||
|
|
||||||
|
if (isLinux && safeStorageBackend) {
|
||||||
|
getLogger().info(
|
||||||
|
`getSQLKey: saving safeStorageBackend: ${safeStorageBackend}`
|
||||||
|
);
|
||||||
|
userConfig.set('safeStorageBackend', safeStorageBackend);
|
||||||
|
}
|
||||||
} else {
|
} else {
|
||||||
getLogger().info('getSQLKey: updating plaintext key in the config');
|
getLogger().info('getSQLKey: updating plaintext key in the config');
|
||||||
userConfig.set('key', key);
|
userConfig.set('key', key);
|
||||||
|
@ -1740,7 +1780,7 @@ async function initializeSQL(
|
||||||
return { ok: true, error: undefined };
|
return { ok: true, error: undefined };
|
||||||
}
|
}
|
||||||
|
|
||||||
const onDatabaseError = async (error: string) => {
|
const onDatabaseError = async (error: Error) => {
|
||||||
// Prevent window from re-opening
|
// Prevent window from re-opening
|
||||||
ready = false;
|
ready = false;
|
||||||
|
|
||||||
|
@ -1758,11 +1798,27 @@ const onDatabaseError = async (error: string) => {
|
||||||
const copyErrorAndQuitButtonIndex = 0;
|
const copyErrorAndQuitButtonIndex = 0;
|
||||||
const SIGNAL_SUPPORT_LINK = 'https://support.signal.org/error';
|
const SIGNAL_SUPPORT_LINK = 'https://support.signal.org/error';
|
||||||
|
|
||||||
if (error.includes(DBVersionFromFutureError.name)) {
|
if (error instanceof DBVersionFromFutureError) {
|
||||||
// If the DB version is too new, the user likely opened an older version of Signal,
|
// If the DB version is too new, the user likely opened an older version of Signal,
|
||||||
// and they would almost never want to delete their data as a result, so we don't show
|
// and they would almost never want to delete their data as a result, so we don't show
|
||||||
// that option
|
// that option
|
||||||
messageDetail = i18n('icu:databaseError__startOldVersion');
|
messageDetail = i18n('icu:databaseError__startOldVersion');
|
||||||
|
} else if (error instanceof SafeStorageBackendChangeError) {
|
||||||
|
const { currentBackend, previousBackend } = error;
|
||||||
|
const previousBackendFlag = getOwn(
|
||||||
|
LINUX_PASSWORD_STORE_FLAGS,
|
||||||
|
previousBackend
|
||||||
|
);
|
||||||
|
messageDetail = previousBackendFlag
|
||||||
|
? i18n('icu:databaseError__safeStorageBackendChangeWithPreviousFlag', {
|
||||||
|
currentBackend,
|
||||||
|
previousBackend,
|
||||||
|
previousBackendFlag,
|
||||||
|
})
|
||||||
|
: i18n('icu:databaseError__safeStorageBackendChange', {
|
||||||
|
currentBackend,
|
||||||
|
previousBackend,
|
||||||
|
});
|
||||||
} else {
|
} else {
|
||||||
// Otherwise, this is some other kind of DB error, let's give them the option to
|
// Otherwise, this is some other kind of DB error, let's give them the option to
|
||||||
// delete.
|
// delete.
|
||||||
|
@ -1787,7 +1843,9 @@ const onDatabaseError = async (error: string) => {
|
||||||
});
|
});
|
||||||
|
|
||||||
if (buttonIndex === copyErrorAndQuitButtonIndex) {
|
if (buttonIndex === copyErrorAndQuitButtonIndex) {
|
||||||
clipboard.writeText(`Database startup error:\n\n${redactAll(error)}`);
|
clipboard.writeText(
|
||||||
|
`Database startup error:\n\n${redactAll(Errors.toLogFormat(error))}`
|
||||||
|
);
|
||||||
} else if (
|
} else if (
|
||||||
typeof deleteAllDataButtonIndex === 'number' &&
|
typeof deleteAllDataButtonIndex === 'number' &&
|
||||||
buttonIndex === deleteAllDataButtonIndex
|
buttonIndex === deleteAllDataButtonIndex
|
||||||
|
@ -1827,10 +1885,6 @@ let sqlInitPromise:
|
||||||
| Promise<{ ok: true; error: undefined } | { ok: false; error: Error }>
|
| Promise<{ ok: true; error: undefined } | { ok: false; error: Error }>
|
||||||
| undefined;
|
| undefined;
|
||||||
|
|
||||||
ipc.on('database-error', (_event: Electron.Event, error: string) => {
|
|
||||||
drop(onDatabaseError(error));
|
|
||||||
});
|
|
||||||
|
|
||||||
ipc.on('database-readonly', (_event: Electron.Event, error: string) => {
|
ipc.on('database-readonly', (_event: Electron.Event, error: string) => {
|
||||||
// Just let global_errors.ts handle it
|
// Just let global_errors.ts handle it
|
||||||
throw new Error(error);
|
throw new Error(error);
|
||||||
|
@ -2171,7 +2225,7 @@ app.on('ready', async () => {
|
||||||
if (sqlError) {
|
if (sqlError) {
|
||||||
getLogger().error('sql.initialize was unsuccessful; returning early');
|
getLogger().error('sql.initialize was unsuccessful; returning early');
|
||||||
|
|
||||||
await onDatabaseError(Errors.toLogFormat(sqlError));
|
await onDatabaseError(sqlError);
|
||||||
|
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
24
ts/types/SafeStorageBackendChangeError.ts
Normal file
24
ts/types/SafeStorageBackendChangeError.ts
Normal file
|
@ -0,0 +1,24 @@
|
||||||
|
// Copyright 2024 Signal Messenger, LLC
|
||||||
|
// SPDX-License-Identifier: AGPL-3.0-only
|
||||||
|
|
||||||
|
export class SafeStorageBackendChangeError extends Error {
|
||||||
|
override name = 'SafeStorageBackendChangeError';
|
||||||
|
|
||||||
|
public readonly currentBackend: string;
|
||||||
|
public readonly previousBackend: string;
|
||||||
|
|
||||||
|
constructor({
|
||||||
|
currentBackend,
|
||||||
|
previousBackend,
|
||||||
|
}: {
|
||||||
|
currentBackend: string;
|
||||||
|
previousBackend: string;
|
||||||
|
}) {
|
||||||
|
super(
|
||||||
|
`Detected change in safeStorage backend, can't decrypt DB key (previous: ${previousBackend}, current: ${currentBackend})`
|
||||||
|
);
|
||||||
|
|
||||||
|
this.currentBackend = currentBackend;
|
||||||
|
this.previousBackend = previousBackend;
|
||||||
|
}
|
||||||
|
}
|
11
ts/util/linuxPasswordStoreFlags.ts
Normal file
11
ts/util/linuxPasswordStoreFlags.ts
Normal file
|
@ -0,0 +1,11 @@
|
||||||
|
// Copyright 2024 Signal Messenger, LLC
|
||||||
|
// SPDX-License-Identifier: AGPL-3.0-only
|
||||||
|
|
||||||
|
// Mapping of safeStorage backends to flags used to activate them.
|
||||||
|
// See https://www.electronjs.org/docs/latest/api/safe-storage
|
||||||
|
export const LINUX_PASSWORD_STORE_FLAGS: Record<string, string> = {
|
||||||
|
basic_text: 'basic',
|
||||||
|
gnome_libsecret: 'gnome-libsecret',
|
||||||
|
kwallet: 'kwallet',
|
||||||
|
kwallet5: 'kwallet5',
|
||||||
|
};
|
Loading…
Reference in a new issue