From ef5cb530af3a1809f20f3f48cd3f100f67902455 Mon Sep 17 00:00:00 2001
From: Andreas Dueren <andreas@due.ren>
Date: Fri, 16 Jan 2026 11:08:45 -0600
Subject: [PATCH] Enable appservice mode for end-to-bridge encryption (MSC3202)

- Fix encryption with Synapse 1.141+ which blocks appservice users from /sync
- Set encryption.appservice=true in start.sh (all 3 occurrences)
- Bump version to 1.0.2
---
 CHANGELOG.md          | 5 +++++
 CloudronManifest.json | 2 +-
 start.sh              | 6 +++---
 3 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 799ab53..06bb906 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,10 @@
 # Changelog
 
+## 1.0.2 - 2026-01-16
+
+- Enable appservice mode for end-to-bridge encryption (MSC3202)
+- Fixes encryption with Synapse 1.141+ which blocks appservice users from /sync
+
 ## 1.0.1 - 2026-01-15
 
 - Fixed start.sh permissions issue
diff --git a/CloudronManifest.json b/CloudronManifest.json
index 15e4aa4..21eee6d 100644
--- a/CloudronManifest.json
+++ b/CloudronManifest.json
@@ -1,5 +1,5 @@
 {
-  "version": "1.0.1",
+  "version": "1.0.2",
   "upstreamVersion": "0.2512.0",
   "id": "dev.maunium.signal.cloudronapp",
   "title": "Matrix Signal Bridge",
diff --git a/start.sh b/start.sh
index 8eeb726..8ccc864 100644
--- a/start.sh
+++ b/start.sh
@@ -78,7 +78,7 @@ if [ ! -f "$CONFIG_PATH" ]; then
             yq -i -y '.encryption.allow = true' "$CONFIG_PATH" || echo "=> ERROR: Could not configure encryption allow"
             yq -i -y '.encryption.default = false' "$CONFIG_PATH" || echo "=> ERROR: Could not configure encryption default"
             yq -i -y '.encryption.require = false' "$CONFIG_PATH" || echo "=> ERROR: Could not configure encryption require"
-            yq -i -y '.encryption.appservice = false' "$CONFIG_PATH" || echo "=> ERROR: Could not configure encryption appservice"
+            yq -i -y '.encryption.appservice = true' "$CONFIG_PATH" || echo "=> ERROR: Could not configure encryption appservice"
             yq -i -y '.encryption.plaintext_mentions = false' "$CONFIG_PATH" || echo "=> ERROR: Could not configure encryption plaintext_mentions"
             yq -i -y '.encryption.delete_keys.delete_outbound_on_ack = true' "$CONFIG_PATH" || echo "=> ERROR: Could not configure encryption delete_outbound_on_ack"
             yq -i -y '.encryption.delete_keys.dont_store_outbound = true' "$CONFIG_PATH" || echo "=> ERROR: Could not configure encryption dont_store_outbound"
@@ -173,7 +173,7 @@ else
                 yq -i -y '.encryption.allow = true' "$CONFIG_PATH" || echo "=> ERROR: Could not update encryption allow"
                 yq -i -y '.encryption.default = false' "$CONFIG_PATH" || echo "=> ERROR: Could not update encryption default"
                 yq -i -y '.encryption.require = false' "$CONFIG_PATH" || echo "=> ERROR: Could not update encryption require"
-                yq -i -y '.encryption.appservice = false' "$CONFIG_PATH" || echo "=> ERROR: Could not update encryption appservice"
+                yq -i -y '.encryption.appservice = true' "$CONFIG_PATH" || echo "=> ERROR: Could not update encryption appservice"
                 yq -i -y '.encryption.plaintext_mentions = false' "$CONFIG_PATH" || echo "=> ERROR: Could not update encryption plaintext_mentions"
                 yq -i -y '.encryption.delete_keys.delete_outbound_on_ack = true' "$CONFIG_PATH" || echo "=> ERROR: Could not update encryption delete_outbound_on_ack"
                 yq -i -y '.encryption.delete_keys.dont_store_outbound = true' "$CONFIG_PATH" || echo "=> ERROR: Could not update encryption dont_store_outbound"
@@ -202,7 +202,7 @@ else
         yq -i -y '.encryption.allow = true' "$CONFIG_PATH" || echo "=> ERROR: Could not update encryption allow"
         yq -i -y '.encryption.default = false' "$CONFIG_PATH" || echo "=> ERROR: Could not update encryption default"
         yq -i -y '.encryption.require = false' "$CONFIG_PATH" || echo "=> ERROR: Could not update encryption require"
-        yq -i -y '.encryption.appservice = false' "$CONFIG_PATH" || echo "=> ERROR: Could not update encryption appservice"
+        yq -i -y '.encryption.appservice = true' "$CONFIG_PATH" || echo "=> ERROR: Could not update encryption appservice"
         yq -i -y '.encryption.plaintext_mentions = false' "$CONFIG_PATH" || echo "=> ERROR: Could not update encryption plaintext_mentions"
         yq -i -y '.encryption.delete_keys.delete_outbound_on_ack = true' "$CONFIG_PATH" || echo "=> ERROR: Could not update encryption delete_outbound_on_ack"
         yq -i -y '.encryption.delete_keys.dont_store_outbound = true' "$CONFIG_PATH" || echo "=> ERROR: Could not update encryption dont_store_outbound"