Make signature verification non-fatal for Drive operations#8
Open
cnighswonger wants to merge 1 commit intorclone:masterfrom
Open
Make signature verification non-fatal for Drive operations#8cnighswonger wants to merge 1 commit intorclone:masterfrom
cnighswonger wants to merge 1 commit intorclone:masterfrom
Conversation
After enabling 2FA on a Proton account, address keys are rotated. Existing Drive data (folders, files, shares) was signed with the old keys, so VerifyDetached and Decrypt-with-verification calls fail with "Signature Verification Error: No matching signature". The data itself is still decryptable — only the signature binding to a specific address key is broken. This patch makes signature verification best-effort across all Drive-related operations: - Link.GetName: fall back to Decrypt without verification keyring - Link.GetKeyRing: VerifyDetached result is ignored - Link.GetHashKey: fall back to Decrypt without verification - Link.GetSessionKey: VerifyDetached result is ignored - Share.GetKeyRing: VerifyDetached result is ignored - RevisionMetadata.GetDecXAttrString: fall back to Decrypt without verification - Revision.GetDecXAttrString: same fallback This does not weaken encryption — data is still decrypted with the correct node/share keys. It only relaxes the check that the data was signed by a specific address key, which is a metadata integrity check that breaks on legitimate key rotation events. Fixes rclone/rclone#8003 Fixes rclone/rclone#7344 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
VerifyDetachedandDecrypt-with-verification calls to fail with "No matching signature"Affected functions
Link.GetNameDecryptwithout verification keyringLink.GetKeyRingVerifyDetachedresult ignoredLink.GetHashKeyDecryptwithout verificationLink.GetSessionKeyVerifyDetachedresult ignoredShare.GetKeyRingVerifyDetachedresult ignoredRevisionMetadata.GetDecXAttrStringDecryptwithout verificationRevision.GetDecXAttrStringDecryptwithout verificationMotivation
This fixes a class of hard failures that affect real users:
@proton.mevs@protonmail.com) can cause signature email mismatchesThese are legitimate account operations that should not make existing Drive data inaccessible. The Proton web client handles this gracefully; rclone should too.
Companion PR: rclone/Proton-API-Bridge#6
Fixes rclone/rclone#8003, rclone/rclone#7344
Test plan
🤖 Generated with Claude Code