Signal bridge encryption not working after changing to double puppet appservice

[ddogfoodd]

Describe the bug After enabling the double puppet appservice, encryption for the signal bot seems broken. I am opening this issue so that we can collect details, as some people reported this problem in the playbooks and mautrix signal bridge matrix rooms. If you have any details please add them as comments below so we can figure this out.

To Reproduce My vars.yml file looks like this (Mautrix Signal related):

# Double Puppet Appservice for newer bridge implementations
matrix_appservice_double_puppet_enabled: true
# Shared Secret Auth - the old way of double puppeting for bridges
matrix_synapse_ext_password_provider_shared_secret_auth_enabled: true
matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret: 'XXXX'

matrix_mautrix_signal_enabled: true
matrix_mautrix_signal_configuration_extension_yaml: |
  bridge:
    encryption:
      allow: true
      default: true
      # set to false when not using Beeper (see: https://docs.mau.fi/bridges/general/troubleshooting.html#the-bridge-cant-decrypt-my-messages)
      appservice: false

Expected behavior I thought adding the line matrix_appservice_double_puppet_enabled: true would do all the work and make the bridge use the double puppet appservice while keep it using encryption.

Matrix Server:

• OS: Ubuntu 22.04.4 LTS
• Architecture: x86_64

Additional context

• Now sending a message to an encrypted signal room including the bot itself, it returns: ⚠ Your message was not bridged: this bridge has not been configured to support encryption.
• I have added appservice: false to the encryption settings of the signal bot as written in the troubleshooting page of mautrix signal: https://docs.mau.fi/bridges/general/troubleshooting.html#the-bridge-cant-decrypt-my-messages. Didn't fix the problem.
• I have removed the bridge bot room and created a new one with encryption disabled. I can communicate with the bot there as expected.
• When using the !signal ping-matrix command in the unencrypted bridge bot room it returns: Confirmed valid access token for @jost:alemann.dev (appservice double puppeting). So it recognizes the appservice, just the encryption seems to not work with it enabled.
• journalctl -fu matrix-mautrix-signal shows ERR Can't decrypt message: no crypto event_id=$TJt9n7EaJhbuL5Qut97HqTS4uePQr3PvDOuiC9svHIA session_id=hTCog813cGnmp0wL5Dye0HKB6uDlriG+J0mkhEXJhcA

[ddogfoodd]

It seems the encryption config of the signal bridge is just outdated.

[ddogfoodd]

New way to do it:

# Double Puppet Appservice for newer bridge implementations
matrix_appservice_double_puppet_enabled: true
# Shared Secret Auth - the old way of double puppeting for bridges
matrix_synapse_ext_password_provider_shared_secret_auth_enabled: true
matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret: 'XXXX'

matrix_mautrix_signal_enabled: true
matrix_mautrix_signal_configuration_extension_yaml: |
  bridge:
    ...
  encryption:
      allow: true
      default: true
      # set to false when not using Beeper (see: https://docs.mau.fi/bridges/general/troubleshooting.html#the-bridge-cant-decrypt-my-messages)
      appservice: false

The indentation level of encryption has changed.

[spantaleev]

Good catch! Indeed, the encryption configuration has moved. encryption was previously nested under bridge, but not anymore.

Adjusting the encryption settings using the existing dedicated Ansible variables (matrix_mautrix_signal_bridge_encryption_allow, etc.) would have been your friend and done the right thing. Using matrix_mautrix_signal_configuration_extension_yaml instead of dedicated variables is prone to such issues - the playbook can neither check your configuration (except for YAML syntax validity), nor can it tell you when you're using incorrect configuration keys.

Due to this, the variables (matrix_mautrix_signal_bridge_encryption_allow, etc.) also need to be renamed for consistency (with the old ones being deprecated), but this hasn't been done yet.