(Unencrypted?) sqlcipher key not found in Signal config file

[pro-sumer]

Desktop:

• OS and version: macOS Sonoma 14.5
• Terminal/shell used: iTerm 2 3.5.3, zsh 5.9

Describe the bug

KeyError: 'key'

for this fragment:

│    75 │   # Read sqlcipher key from Signal config file                                           │
│    76 │   if source.is_file():                                                                   │
│    77 │   │   with open(source, encoding="utf-8") as conf:                                       │
│ ❱  78 │   │   │   key = json.loads(conf.read())["key"]                                           │
│    79 │   else:                                                                                  │
│    80 │   │   secho(f"Error: {source} not found in directory {src}")                             │
│    81 │   │   raise Exit(code=1)

That error seems correct, as this is the entire contents of ~/Library/Application Support/Signal/config.json:

{
  "encryptedKey": "..."
}

Probably related to this?

https://www.bleepingcomputer.com/news/security/signal-downplays-encryption-key-flaw-fixes-it-after-x-drama/

To reproduce Steps to reproduce the behavior. Please include the exact commands tried.

1. sigexport --no-use-docker output

[huyz]

Uh oh, has it happened yet? I was wondering when this would break due to Elon lol

[carderne]

Thanks for sharing the link, useful read!

Here's a relevant issue: https://github.com/signalapp/Signal-Desktop/issues/6944

Seems like we can get temporarily get around this by just using that key directly? Or maybe not, will need to do some experimenting.

Can't promise I'll get to this very quickly, and it's possible this will ultimately require much more work to keep this tool working... Maybe Signal will finally create their own backup solution now...

[carderne]

Tried just using encryptedKey but that doesn't solve it (I thought from a brief skim that they might just be temporarily storing the regular key under that name).

Seems like this will need a bigger fix.

README updated to indicate that this tool won't work until this is fixed.

[pro-sumer]

This issue (and the corresponding commit) may help:

https://github.com/tbvdm/sigtop/issues/48

(Explains how to get the unencrypted key)

PS: Have not tried it myself (yet)

[carderne]

People reading this thread: How important is it for signal-export to continue to exist, given that sigtop also exists? Does signal-export have some important features that the other tool lacks?

Will be happy to get this working but also happy to just point people to an alternative if it’s just as good/better. The fact that it’s written in Go (and not dependent on pysqlcipher) seems like it should make installation a lot easier for most people.

[pro-sumer]

tbvdm/sigtop#48

Workaround using that info (on macOS):

1. Run security find-generic-password -ws "Signal Safe Storage" to get the password
2. Put that on line 15 of the POC (mentioned there) and run that script
3. Copy the output (without the prefix 0x) and put it as the value for key key in Signal's config.json
4. sigexport works again 🎉

Important note: storing the password/key on your filesystem is unsafe!

I suggest using 1Password's CLI inject command instead.

[lisdude]

People reading this thread: How important is it for signal-export to continue to exist, given that sigtop also exists? Does signal-export have some important features that the other tool lacks?

I just casually tried sigtop, so I'm no expert, but the things I immediately noticed:

• It doesn't seem to do HTML output. (And, as such, has no paginated output option.)
• It doesn't do markdown output. (So no inline images.)
• It doesn't keep track of attachments. In the output text files, attachments are all displayed as [1 attachment] making it impossible to know what the file actually was for any given message.

[huyz]

@carderne I'm happy with signal-export. Not looking to move to anything else if I can help it.

[huyz]

@pro-sumer Thanks, that worked for me. Back in business.

Btw, for that POC, you'll need to pip install pycryptodome

[carderne]

Ok will incorporate that POC into signal-export when I have a bit of time.

[carderne]

Decryption should now work automatically on macOS. You'll be prompted by the security tool to enter your password.

If anyone shares the equivalent for Linux/WSL I can add that too.

Commit: https://github.com/carderne/signal-export/commit/f3c6e182aff5081f8ac5f66dc993714e3edd07e8

Release: v2.4.0

[huyz]

@carderne thanks so much man!

[maxhbr]

People reading this thread: How important is it for signal-export to continue to exist, given that sigtop also exists? Does signal-export have some important features that the other tool lacks?

I built something that is fun for me based on that tool (I generate a book out of the conversation that I had with one person) and I am already very thankful that the tool worked until now. Thanks a lot for it!

Right now I am trying to package v3.0.1 for Nix in the hope to get it working again.

[carderne]

Should be working fine on Linux and macOS. Not likely to put the effort in for Windows any time soon. (But I can give pointers for anyone who’d like to contribute!)

[ProactiveServices]

People reading this thread: How important is it for signal-export to continue to exist, given that sigtop also exists? Does signal-export have some important features that the other tool lacks?

Will be happy to get this working but also happy to just point people to an alternative if it’s just as good/better. The fact that it’s written in Go (and not dependent on pysqlcipher) seems like it should make installation a lot easier for most people.

Installation of sigexport here was really easy on Linux. If you're game to keep this working I'm happy to stick with it :-)

[yelworc]

Many thanks for maintaining this, @carderne! I'm definitely happy this tool exists, and using it on a regular basis 🙂

The export is working for me with v3.0.2 on Debian 11, as far as text messages are concerned (maybe helpful for others: libsecret-tools is the apt package that contains secret-tool).

Is the key unlocked via --password used while decrypting media files as well? These files are exported with plausible-looking file sizes here, but they all seem to consist of random garbage data.

[carderne]

@yelworc Oh damn... didn't even realise the media files were also encryped, unless that was a subsequent change...

Will need to figure out how to decrypt them.

[carderne]

Seems relatively straightforward: https://github.com/tbvdm/sigtop/blob/2b9a0f94a6fc481434a8b7c95df019acbe06520f/signal/attachment.go#L120

[jathri]

Hello, will this work using Ubuntu (or other linux) subsystem in windows?

[carderne]

@jathri I'm honestly not sure how the secret is stored on WSL... since there's no Gnome there's probably no Gnome keychain stuff. You might be better off trying sigtop.

[carderne]

@yelworc Decrypting files is now supported via commit https://github.com/carderne/signal-export/commit/3111debf5ea85e4b071535b82e3e14470e6cfae3 released in v3.1.0

[outpoints]

Is there any way to migrate a Signal install from one machine to another using this tool? I had to decrypt the database last time I moved from Windows to Arch.

[carderne]

@outpoints please start a new thread if you have a separate issue. But to answer your question no this tool wouldn’t help in its current form.

[yelworc]

Decrypting files is now supported via commit 3111deb released in v3.1.0

@carderne awesome! Confirming: Worked without a hitch for my ~6.5GB archive with lots of files in 1:1 chats and groups over multiple years. Let me buy you a beer (or tea :slightly_smiling_face:)!

[ExecutiveCodingProducer]

How important is it for signal-export to continue to exist, given that sigtop also exists? Does signal-export have some important features that the other tool lacks?

I really appreciate your work, sigexport has been a great tool for me during the past months. Given the issues about sigtop which have been pointed out by @lisdude I would be happy if you will continue the work on sigexport.

[belamu]

@yelworc Decrypting files is now supported via commit 3111deb released in v3.1.0

Thanks a lot! I could not figure out how to decrypt the key though. I am on KDE Fedora. There are commands called secret-tool, kwallet-query, kwalletd6, kwalletmanager5 but non contained a suitable information about Signal. In case you know a general way that works for Electron on all platforms, that would be great to include in the error message about the encrypted key.

Update 1: in the config.json it includes the information "safeStorageBackend": "kwallet6"

Update 2: I installed sigtop, ran the sigtop export-key command, got a key that I than found in the KWalletManager under Chromium Keys > Passwords > Chromium Safe Storage

Update 3: I was able to retrieve this key also programmatically with the command kwallet-query kdewallet -f 'Chromium Keys' -r 'Chromium Safe Storage'

So my entire backup command (with snap installation) is

sigexport --source "${HOME}"/snap/signal-desktop/current/.config/Signal/ "${EXPORTDIR}" --paginate 0 --password="$(kwallet-query kdewallet -f 'Chromium Keys' -r 'Chromium Safe Storage')"

[carderne]

Well done figuring that out. Happy to have a PR to the README if you think you can describe relatively repeatable steps to use on KDE...

[jathri]

Yet another alternative (only thing that currently works for me): https://github.com/bepaald/signalbackup-tools

Very nice html export (from android backup file).