cipher: message authentication failed

[khimaros]

i've created a fresh backup with SeedVault 13-3.3 (CalyxOS 4.11.3) and verified the mnemonic with the app, however extracting with the v1 release of seedvault-extractor is failing:

version: 1
token: 1691182687280
seed: [elided]
key: [elided]
error: failed to decrypt metadata: failed to read decrypted data: cipher: message authentication failed

is there any other information i can provide to help isolate the problem?

[khimaros]

i suppose this may be related to https://github.com/jackwilsdon/seedvault-extractor/issues/2. similar to others there, i'm using SeedVault local backup + syncthing. i have verified the md5sum of the metadata file and tried running additional backups.

[jackwilsdon]

Are you able to try a current build of master? #8 implemented some additional validation that might be helpful here.

[khimaros]

building from master (and after another nightly backup) everything seems to be working.

when i use the release build, it fails at package com.mendhak.gpslogger with the error:

error: failed to extract "com.mendhak.gpslogger": failed to decrypt "/var/seedvault/1691182687280/[elided]": failed to read decrypted data: cipher: message authentication failed

anyway, it seems like it might be worth making a new release from master?

[khimaros]

actually, the error is present when extracting with master as well, but it keeps going after failure.

[jackwilsdon]

5 changed the decryption behaviour such that it no longer stops on an error. There's a bit more information about it in #3, but we haven't quite worked out why decryption fails for some packages (although it's possible it's an issue with Seedvault itself).

I'll cut a new release when I get a second, cheers!

[khimaros]

indeed, it does seem to fail for quite a few packages. it seems to be consistent which packages fail across multiple invocations though. anything i could to to help troubleshoot?

[jackwilsdon]

anything i could to to help troubleshoot?

Not that I can think of off the top of my head sorry. Does Seedvault on the device show a tick next to the apps that are failing to decrypt? Do the same apps fail to decrypt across multiple backups?

[khimaros]

there is a green checkmark next to the ones i spot checked.

i'll run a few more backups to verify if the same apps fail and report here.

[khimaros]

it is not always the same set of apps which fail.

i wonder if the issue is specific to the seedvault in CalyxOS? i noticed at least one of the other users complaining about this was using CalyxOS.

i'm using com.stevesoltys.seedvault 13-3.3

FWIW, @cdesai has been very helpful in the past and may know if they're using any unusual compilation flags or settings compared to eg. GrapheneOS.

[jackwilsdon]

It appears CalyxOS have their own fork of Seedvault (https://github.com/CalyxOS/platform_packages_apps_Seedvault), but diffing it with mainline Seedvault doesn't show any changes that could cause this. It's odd that it's different apps each time - definitely seems to hint towards it being an issue with Seedvault.