Log when the public keys don't match when verifiying megolm backups

mautrix · Feb 27, 2025 · 63832e8 · 63832e8
1 parent 02733b5
commit 63832e8
Showing 1 changed file with 7 additions and 1 deletion.
diff --git a/crypto/keybackup.go b/crypto/keybackup.go
@@ -54,9 +54,15 @@ func (mach *OlmMachine) GetAndVerifyLatestKeyBackupVersion(ctx context.Context,
 	// ...by deriving the public key from a private key that it obtained from a trusted source. Trusted sources for the private
 	// key include the user entering the key, retrieving the key stored in secret storage, or obtaining the key via secret sharing
 	// from a verified device belonging to the same user."
-	if megolmBackupKey != nil && versionInfo.AuthData.PublicKey == id.Ed25519(base64.RawStdEncoding.EncodeToString(megolmBackupKey.PublicKey().Bytes())) {
+	megolmBackupDerivedPublicKey := id.Ed25519(base64.RawStdEncoding.EncodeToString(megolmBackupKey.PublicKey().Bytes()))
+	if megolmBackupKey != nil && versionInfo.AuthData.PublicKey == megolmBackupDerivedPublicKey {
 		log.Debug().Msg("key backup is trusted based on public key")
 		return versionInfo, nil
+	} else {
+		log.Debug().
+			Stringer("expected_key", megolmBackupDerivedPublicKey).
+			Stringer("actual_key", versionInfo.AuthData.PublicKey).
+			Msg("key backup public keys do not match, proceeding to check device signatures")
 	}
 
 	// "...or checking that it is signed by the user’s master cross-signing key or by a verified device belonging to the same user"