Key backup not signed by MSK, leading to UTDs on new devices

[richvdh]

New devices attempt to load keys for historical messages from key backup; however, in order that they can trust key backup, they check for a signature on that backup from the user's master cross-signing key.

Occasionally we see cases in which a user has a key backup, but it has not been signed. This could happen for a number of reasons; for example:

• Backup was reset from within a device which has not been verified, and therefore does not have a copy of the private master cross-signing key. Implementations should not allow you to do this, but it's possible that some client implementations have bugs that allow it.
  • TODO: open specific issues against clients if we have evidence of this happening
• Element web has a special button which could be more accurately labelled "Please break everything about my encryption": "Reset Backup" creates 4S without cross-signing keys element-web#27806

[uhoreg]

element-hq/element-web#28402 fixes one cause of this, where the "Reset all" button in Web resulted in unsigned backups.