Links to files fail to open with signature error unless authorized user accesses first

[whinis]

⚠️ This issue respects the following points: ⚠️

• This is a bug, not a question or a configuration/webserver/proxy issue.
• This issue is not already reported on Github (I've searched it).
• Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
• I agree to follow Nextcloud's Code of Conduct.

Bug description

After updating my nextcloud 22.2.3 instance to 22.2.4 and switching to new encryption I noticed that any time ShareX uploaded a file and created a preview link, no one could view it until I clicked it and was logged in. If anyone attempts to view it before this I get a "Signature Missing" error message. I then procceeded to update all the way to 24.0.2 and the error persist.

Steps to reproduce

1.Upload image using the API
2. Create a share link to the image in question using the API
3. Attempt to view link in unauthorized browser
4. Get signature error

Expected behavior

Prior to switch encryption I could upload, create link, and then past without any issues. Now I have to remember to view the link myself first before sharing.

Installation method

Manual installation

Operating system

Debian/Ubuntu

PHP engine version

PHP 7.4

Web server

Nginx

Database engine version

MariaDB

Is this bug present after an update or on a fresh install?

Updated from a minor version (ex. 22.2.3 to 22.2.4)

Are you using the Nextcloud Server Encryption module?

Encryption is Enabled

What user-backends are you using?

• Default user-backend (database)
• LDAP/ Active Directory
• SSO - SAML
• Other

Configuration report

sudo -u nginx php7.4 occ config:list system
{
    "system": {
        "memcache.local": "\\OC\\Memcache\\APCu",
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "cloud.whinis.com",
            "www.miamipibs.science"
        ],
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "overwrite.cli.url": "https:\/\/cloud.whinis.com",
        "dbtype": "mysql",
        "version": "24.0.2.1",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbtableprefix": "oc_",
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "forcessl": true,
        "theme": "",
        "maintenance": false,
        "loglevel": 3,
        "singleuser": false,
        "filesystem_check_changes": 0,
        "updatechecker": false,
        "trashbin_retention_obligation": "30,180",
        "mysql.utf8mb4": true,
        "app_install_overwrite": [
            "spgverein"
        ],
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpmode": "smtp",
        "mail_sendmailmode": "smtp",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpauthtype": "LOGIN",
        "mail_smtpauth": 1,
        "mail_smtpname": "***REMOVED SENSITIVE VALUE***",
        "mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
        "encryption.legacy_format_support": false,
        "encryption.key_storage_migrated": false,
        "updater.secret": "***REMOVED SENSITIVE VALUE***"
    }
}

List of activated Apps

sudo -u nginx php7.4 occ app:list
Enabled:
  - accessibility: 1.10.0
  - activity: 2.16.0
  - admin_audit: 1.14.0
  - calendar: 3.4.1
  - circles: 24.0.0
  - cloud_federation_api: 1.7.0
  - comments: 1.14.0
  - contacts: 4.1.1
  - contactsinteraction: 1.5.0
  - dashboard: 7.4.0
  - dav: 1.22.0
  - encryption: 2.12.0
  - federatedfilesharing: 1.14.0
  - federation: 1.14.0
  - files: 1.19.0
  - files_pdfviewer: 2.5.0
  - files_rightclick: 1.3.0
  - files_sharing: 1.16.2
  - files_versions: 1.17.0
  - files_videoplayer: 1.13.0
  - firstrunwizard: 2.13.0
  - logreader: 2.9.0
  - lookup_server_connector: 1.12.0
  - nextcloud_announcements: 1.13.0
  - notifications: 2.12.0
  - oauth2: 1.12.0
  - password_policy: 1.14.0
  - photos: 1.6.0
  - privacy: 1.8.0
  - provisioning_api: 1.14.0
  - recommendations: 1.3.0
  - serverinfo: 1.14.0
  - settings: 1.6.0
  - sharebymail: 1.14.0
  - support: 1.7.0
  - survey_client: 1.12.0
  - systemtags: 1.14.0
  - tasks: 0.14.4
  - text: 3.5.1
  - theming: 1.15.0
  - twofactor_backupcodes: 1.13.0
  - updatenotification: 1.14.0
  - user_status: 1.4.0
  - viewer: 1.8.0
  - weather_status: 1.4.0
  - workflowengine: 2.6.0
Disabled:
  - bruteforcesettings: 1.5.0
  - files_external
  - files_trashbin: 1.8.0
  - user_ldap

Nextcloud Signing status

No errors have been found.

Nextcloud Logs

over 400mb in size.

Additional info

No response

[whinis]

Any update on this, its been a few months and I still have this issue

[whinis]

So I updated to Nextcloud Hub 3 (25.0.3) and the problem persist. With 'encryption.legacy_format_support' => false all shares show missing signature until I view them with the user who shared them. If its true then it works without issues.

[joshtrichards]

You may need to use the occ encryption:fix-encrypted-version command:

• https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/encryption_configuration.html#occ-encryption-commands
• Downstream encryption:fix-encrypted-version for repairing "bad signature" errors #27638
• Add encryption hint about how to fix bad signature errors documentation#6884