bugfix: skip TAM check with BORG_WORKAROUNDS=authenticated_no_key

This is an emergency workaround for authenticated repos if the user has lost the borg key. We can't compute the TAM key without the borg key, so just skip all the TAM stuff.
borgbackup · Jul 20, 2023 · d5ffa59 · d5ffa59
1 parent 3051473
commit d5ffa59
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/src/borg/crypto/key.py b/src/borg/crypto/key.py
@@ -246,6 +246,8 @@ def unpack_and_verify_manifest(self, data, force_tam_not_required=False):
         unpacker = get_limited_unpacker("manifest")
         unpacker.feed(data)
         unpacked = unpacker.unpack()
+        if AUTHENTICATED_NO_KEY:
+            return unpacked, True  # True is a lie.
         if "tam" not in unpacked:
             if tam_required:
                 raise TAMRequiredError(self.repository._location.canonical_path())
@@ -271,8 +273,6 @@ def unpack_and_verify_manifest(self, data, force_tam_not_required=False):
         offset = data.index(tam_hmac)
         data[offset : offset + 64] = bytes(64)
         tam_key = self._tam_key(tam_salt, context=b"manifest")
-        if AUTHENTICATED_NO_KEY:
-            return unpacked, True  # True is a lie.
         calculated_hmac = hmac.digest(tam_key, data, "sha512")
         if not hmac.compare_digest(calculated_hmac, tam_hmac):
             raise TAMInvalid()