HMAC verification failed for newer versions of Signal-Android (6.30.4) and signal-backup-decode 0.2.3

[frans-fuerst]

Running Signal 6.30.4, newer backup files can't be decrypted for me anymore with signal-backup-decode 0.2.3. I don't exactly know what's the last Signal-version I've read successfully since I only run the backup every couple of weeks.

Command:

signal-backup-decode -f [--no-verify-mac] --verbosity DEBUG \
    --output-path ./ \
    --password-file path/to/pw-file \
    --output-type RAW \
    path/to/signal-2023-09-05-02-55-00.backup 

Output is:

12:39:45 [INFO] Output path: /path/to/output
12:39:45 [INFO] Input file: /path/to/signal-2023-09-05-02-55-00.backup
12:39:45 [DEBUG] (1) signal_backup_decode::input: Frame type: Header Frame (salt: [24, 97, 92, 29, 6D, 18, 5B, 84, 29, 8B, 5A, 7D, 81, BA, BA, C5, E5, E4, 1E, 65, 06, 5C, B8, 76, E2, BC, D7, 59, E0, C4, 47, 24] (length: 32), iv: [28, 42, 69, CE, DF, 30, BC, 9E, F6, BA, 5B, 71, 25, 67, D6, 27] (length: 16))
12:39:45 [DEBUG] (2) signal_backup_decode::input: Read frame number 1 with length of 1313236731 bytes
12:39:47 [ERROR] HMAC verification failed (their mac: [A5, 56, CB, 80, 5A, 97, 32, 00, F1, C9], our mac: [3D, D8, 0A, 0D, AB, 1C, 27, 23, AD, F5]).

(Error code 0 btw - should be nonzero, shouldn't it?)

I double checked the files didn't get corrupted on the way by manually copying them via adb pull and comparing them with diff. And while the files seem to be close to 4GB (I'm not using any FS supporting only less than 4GB anyway), backups are still of different sizes (i.e. not capped) and more than 100MB below 4GB:

$ ls -alF /path/to/backups/*                                                                       130 ↵
-rw-r--r--. 1 me me 4184806602 Sep  4 02:56 /path/to/backups/signal-2023-09-04-02-55-00.backup
-rw-r--r--. 1 me me 4185059654 Sep  5 02:57 /path/to/backups/signal-2023-09-05-02-55-00.backup

Also I verified my passphrase inside the app and made sure the "Verifying backup.." stage while creating the backup succeeds as well..

Anyone else experiencing this? Or does it work for someone with Signal v6.30.4?

Update: I also checked with https://github.com/mossblaser/signal_for_android_decryption - it also works for the last file I can successfully decrypt with signal-backup-decode but fails with the new ones (Error: Incorrect passphrase or corrupted backup (Bad MAC))

[frans-fuerst]

signalapp/Signal-Android@c6473ca made changes to some backup file format related stuff, also affecting Backups.proto - might that be the cause?

[donaghhorgan]

I'm seeing this error too. I saw that a change to Backups.proto was also addressed in #60 (apparently successfully), so I tried to copy the approach, bumping Backups.proto to the latest version from Signal Android, rebuilding Backups.rs and then recompiling from source (I'm not a Rust person or a crypto person, but I thought I'd have a go). Compiling worked, but when I tried to run the decode tool I get the same HMAC error as above:

22:34:24 [INFO] Input file: /path/to/signal-2023-10-09-03-30-00.backup
22:34:24 [DEBUG] (1) signal_backup_decode::input: Frame type: Header Frame (salt: [BA, AE, 8B, F2, 1B, 0E, ED, 97, 6A, 6F, CD, 16, 63, E3, 1F, 34, CB, 62, 21, 76, 8B, 22, 24, 56, 81, BF, 97, 9B, EB, D0, 01, 4C] (length: 32), iv: [EB, 3C, 14, 9B, 72, 3F, DF, 95, 35, 34, 0D, 50, 28, 4C, 45, 24] (length: 16))
22:34:24 [DEBUG] (2) signal_backup_decode::input: Read frame number 1 with length of 144867585 bytes
22:34:25 [ERROR] HMAC verification failed (their mac: [9A, 8D, B3, 3E, EC, AC, 85, 38, 7A, 39], our mac: [42, 45, 61, C4, AF, FB, FA, 96, DF, 8B]).

[lapseofreason]

@frans-fuerst You might want to try those two PRs:

1. Support backup v1 mossblaser/signal_for_android_decryption#6
2. Support new backup file format #60

If it works with them, this is caused by the Signal-Android backup format changes.

If it does not, then either your passphrase is incorrect or there is some other issue. To rule out the former, you can check it in the Signal-Android directly in the backup settings.

[frans-fuerst]

I'm pretty sure, my passphrase is correct - I didn't change it for years and I've also verified it in the App (as you said).
But at least the 2. PR works for me, see #60 (comment)
but unfortunately it doesn't work for older files anymore.
I'll check the first PR as soon as possible

[frans-fuerst]

@lapseofreason: I just tried the first PR (on signal_for_android_decryption and it worked for me for older (2019) and recent files.