Canonical System Image

Installing apps impossible due to time skew causing invalid signatures for U1 account

Bug #1509118 reported by Julia Palandri on 2015-10-22

This bug affects 1 person

	Status	Importance	Assigned to	Milestone
Canonical System Image	Fix Released	Critical	Alejandro J. Cura	Canonical System Image ww50-2015 "ota8.5"
ubuntuone-credentials (Ubuntu)	Fix Released	Critical	dobey
ubuntuone-credentials (Ubuntu RTM)	Fix Released	Critical	Unassigned

Bug Description

In a phone with a U1 account configured and working, some users reported that about a week ago (i.e. before OTA-7) they started having problems to upgrade software or install new apps.

When they want to upgrade/install, they are asked for their U1 information as in no account was set up in the phone. If they add the account through Accounts in Settings, the phone apparently stores the information but when the user wants to use the store it disappears again.

Tags:

Related branches

lp:~dobey/ubuntuone-credentials/server-timestamp

Merged into lp:ubuntuone-credentials at revision 222

Alejandro J. Cura (community): Abstain on 2015-12-09

Charles Kerr (community): Approve on 2015-12-08

PS Jenkins bot: Approve (continuous-integration) on 2015-12-07

Revision history for this message

Julia Palandri (julia-palandri) wrote on 2015-10-22:

Also: one of the users told me that the account works ok in her BQ phone and on desktop; it's her meizu she's having trouble with (ie apparently it's nothing about the account itself).

She's also tried removing the app from SSO account settings; this deleted the account in the BQ which she could readd, but in the meizu the problem persists.

Revision history for this message

Julia Palandri (julia-palandri) wrote on 2015-10-22:

One of the users just commented he 'fixed' it with a factory settings reset - so at least we have a workaround - though a harsh one.

Pat McGowan (pat-mcgowan) on 2015-10-23

Changed in canonical-devices-system-image:
assignee:	nobody → Alejandro J. Cura (alecu)
importance:	Undecided → Critical
milestone:	none → ww46-2015
status:	New → Confirmed

Jean-Baptiste Lallement (jibel) on 2015-10-23

tags:

added: regression-release

Revision history for this message

dobey (dobey) wrote on 2015-10-23:

Seeing the ~/.cache/upstart/scope-registry.log when this issue happens would be useful.

Revision history for this message

Alejandro J. Cura (alecu) wrote on 2015-10-23:

The "fixed by factory reset" seems like a harsher way of the "fix by setting time to automatically sync" that worked for a different user.

Revision history for this message

Julia Palandri (julia-palandri) wrote on 2015-10-25:

I confirm at least one case was fixed by setting the clock to automatic time instead of manual. Apparently it could have something to do with the time change in some countries and the fact that the Oath Key that the store uses to authenticate lasts only 15 minutes.
Apparently the difference in timestamps in the server produced this awkward behaviour.

I still ned to check with the other users and see if this fixes the problem for them too to close the bug.

I wonder if it's worth to open a design bug - do we *really* want to allow users to set the time manually? I think that manually choosing the time zone (instead of letting the phone guess by position) makes sense, but in what case does a user want to set the time manually once the timezone has been chosen?

Revision history for this message

Pat McGowan (pat-mcgowan) wrote on 2015-10-27:

Theory is that the fix for bug #1483866 triggered the subsequent failures, perhaps the time had always been wrong, or it drifted.
Now for a real fix, perhaps to query the server for the time rather than using the value from the client, which was employed in other cases.

Revision history for this message

Alejandro J. Cura (alecu) wrote on 2015-10-27:

If the user sets the time manually for whatever reason, then our code should keep working.
The proposed solution is to fetch the server's time and use that as a base for the time used in signatures.
We need to apply this solution to every project using U1 tokens.

Revision history for this message

Alejandro J. Cura (alecu) wrote on 2015-10-27:

A related U1 bug was #692597.
The fix was to do a HEAD request to the right server, and to use that time as the base for oauth signatures in the client.
A sample MP is: https://code.launchpad.net/~alecu/ubuntuone-storage-protocol/timestamp-autofix/+merge/78505

Alejandro J. Cura (alecu) on 2015-10-30

Changed in canonical-devices-system-image:
milestone:	ww46-2015 → ww02-2016

Alejandro J. Cura (alecu) on 2015-11-20

Changed in pay-service (Ubuntu):
assignee:	nobody → Rodney Dawes (dobey)

Revision history for this message

John McAleely (john.mcaleely) wrote on 2015-11-24:

#10

If your *time zone* is not set correctly, does some module 'correct to UTC' incorrectly, resulting in tokens several hours adrift?

See bug #1519359

Pat McGowan (pat-mcgowan) on 2015-11-24

tags:

added: hotfix

Pat McGowan (pat-mcgowan) on 2015-12-01

Changed in canonical-devices-system-image:
milestone:	ww02-2016 → ww50-2015

dobey (dobey) on 2015-12-01

Changed in ubuntuone-credentials (Ubuntu):
assignee:	nobody → Rodney Dawes (dobey)
status:	New → In Progress
Changed in pay-service (Ubuntu):
assignee:	Rodney Dawes (dobey) → nobody
no longer affects:	pay-service (Ubuntu)
no longer affects:	pay-ui (Ubuntu)
no longer affects:	ubuntu-push (Ubuntu)
no longer affects:	unity-scope-click (Ubuntu)
summary:	- U1 account stops working and prevents using the store + Installing packages impossible due to time skew causing invalid + signatures for U1 account

dobey (dobey) on 2015-12-01

summary:	- Installing packages impossible due to time skew causing invalid - signatures for U1 account + Installing apps impossible due to time skew causing invalid signatures + for U1 account
Changed in ubuntuone-credentials (Ubuntu):
importance:	Undecided → Critical

Alejandro J. Cura (alecu) on 2015-12-09

Changed in canonical-devices-system-image:
status:	Confirmed → In Progress

Łukasz Zemczak (sil2100) on 2015-12-09

tags:

added: lt-blocker lt-category-visible

dobey (dobey) on 2015-12-09

Changed in ubuntuone-credentials (Ubuntu):
status:	In Progress → Fix Committed
Changed in canonical-devices-system-image:
status:	In Progress → Fix Committed

Revision history for this message

Launchpad Janitor (janitor) wrote on 2015-12-10:

#11

This bug was fixed in the package ubuntuone-credentials - 15.11+16.04.20151207.1

---------------
ubuntuone-credentials (15.11+16.04.20151207.1) xenial; urgency=medium

[ CI Train Bot ]
* debian/libubuntuoneauth-2.0-0.symbols: update to released version.

  [ Rodney Dawes ]
  * Retrieve current timestamp from server to use in OAuth signatures.
    (LP: #1509118)

-- Rodney Dawes <email address hidden> Mon, 07 Dec 2015 21:38:01 +0000

Changed in ubuntuone-credentials (Ubuntu):
status:	Fix Committed → Fix Released

Łukasz Zemczak (sil2100) on 2015-12-10

Changed in ubuntuone-credentials (Ubuntu RTM):
status:	New → Fix Released
importance:	Undecided → Critical

Pat McGowan (pat-mcgowan) on 2015-12-16

Changed in canonical-devices-system-image:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.