Key backup not signed by MSK, leading to UTDs on new devices

[richvdh]

New devices attempt to load keys for historical messages from key backup; however, in order that they can trust key backup, they check for a signature on that backup from the user's master cross-signing key.

Occasionally we see cases in which a user has a key backup, but it has not been signed. This could happen for a number of reasons; for example:

• Backup was reset from within a device which has not been verified, and therefore does not have a copy of the private master cross-signing key. Implementations should not allow you to do this, but it's possible that some client implementations have bugs that allow it.
  • TODO: open specific issues against clients if we have evidence of this happening
• Element web has a special button which could be more accurately labelled "Please break everything about my encryption": "Reset Backup" creates 4S without cross-signing keys element-web#27806

[uhoreg]

element-hq/element-web#28402 fixes one cause of this, where the "Reset all" button in Web resulted in unsigned backups.

[uhoreg]

If we encounter a backup that isn't signed by the MSK, we should fix it (probably by creating a new backup that's properly signed), rather than continuing on as if everything is fine.

[richvdh]

I think this is probably fixed by matrix-org/matrix-js-sdk#4677: as long as we have the decryption key, we don't actually require the backup to be signed.

[richvdh]

(The reason for signing it is so that new devices can start uploading keys to the backup without having the decryption key.)