Signature upload failure (no MSK found) when trying to cross-sign over federation

[ara4n]

I tried to cross-sign @matthewtest:arasphere.net from @matthew:matrix.org from riot/web develop to riot/web develop. It failed with:

despite matthewtest having cross-signing set up:

[jryans]

@ara4n What version of Synapse is on arasphere.net now? Also, do you know what version was present there when @matthewtest:arasphere.net set up cross-signing?

[bwindels]

Interesting... also since matrix-org/matrix-react-sdk@29af8ad we should fall back to legacy verification when the other user doesn't have cross-signing keys uploaded yet. Perhaps we don't disable signature upload for legacy verification?

[dbkr]

What's happening here is that the cross-signing keys from the older server get through to the newer one but then, at some later point (for me, when the user on the older server joins the room) the device on the newer server gets a cross-signing keys update with all 3 keys undefined. It seems like this is actually the server deciding the other user doesn't have cross-signing keys after all, but the device doesn't recognise this because it only replaces keys that are truthy in the object that it gets.

Synapse sends an object with 'undefined' as the value for keys that aren't included in the update (which it probably shouldn't) but this means we can't unset any key that's undefined.

[dbkr]

Actually I think this is at least party due to an error affecting worker-ised synapses where it fails to write updates to cross-signing keys when updates come in via EDUs.

[dbkr]

Filed on synapse: matrix-org/synapse#7252

[dbkr]

Update: one cause of this bug is now fixed, but there is another. I think 7252 would have affected anyone with existing accounts & rooms who added a device or cross-signing key, but I think 7276 will affect federated user IDs that no user on a server previously shared a room with (eg. if you crate two brand new accounts on different servers & try to verify them).

[dbkr]

Fixed in synapse now