nextcloud · nickvergessen · Jan 22, 2026 · Dec 27, 2025 · Jan 22, 2026 · Jan 16, 2026
@@ -18,7 +18,7 @@
 * 🌉 **Sync with other chat solutions** With [Matterbridge](https://github.com/42wim/matterbridge/) being integrated in Talk, you can easily sync a lot of other chat solutions to Nextcloud Talk and vice-versa.
 ]]></description>
 
-	<version>23.0.0-beta.2</version>
+	<version>23.0.0-beta.2.1</version>
 	<licence>agpl</licence>
 
 	<author>Anna Larch</author>
@@ -89,6 +89,7 @@
 			<step>OCA\Talk\Migration\ClearResourceAccessCache</step>
 			<step>OCA\Talk\Migration\CacheUserDisplayNames</step>
 			<step>OCA\Talk\Migration\FixLastReadMessageZero</step>
+			<step>OCA\Talk\Migration\RegenerateSignalingKeys</step>
 		</post-migration>
 	</repair-steps>
 

diff --git a/composer.lock b/composer.lock
diff --git a/lib/Config.php b/lib/Config.php
@@ -542,7 +542,7 @@ private function ensureSignalingTokenKeys(string $alg): void {
 
 		if (str_starts_with($alg, 'ES')) {
 			$privKey = openssl_pkey_new([
-				'curve_name' => 'prime256v1',
+				'curve_name' => $alg === 'ES384' ? 'secp384r1' : 'prime256v1',
 				'private_key_bits' => 2048,
 				'private_key_type' => OPENSSL_KEYTYPE_EC,
 			]);

diff --git a/lib/Migration/RegenerateSignalingKeys.php b/lib/Migration/RegenerateSignalingKeys.php
@@ -0,0 +1,48 @@
+<?php
+
+declare(strict_types=1);
+/**
+ * SPDX-FileCopyrightText: 2026 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+
+namespace OCA\Talk\Migration;
+
+use OCA\Talk\Config;
+use OCP\AppFramework\Services\IAppConfig;
+use OCP\Migration\IOutput;
+use OCP\Migration\IRepairStep;
+
+/**
+ * In JWT 7.0.2 validation for the key length was added, and it revealed that
+ * Talk used a too short private key. So when generating a signaling ticket fails,
+ * we generate a new private and public key with more complex curve which fixes it.
+ */
+class RegenerateSignalingKeys implements IRepairStep {
+	public function __construct(
+		protected IAppConfig $appConfig,
+		protected Config $talkConfig,
+	) {
+	}
+
+	#[\Override]
+	public function getName(): string {
+		return 'Regenerate signaling keys';
+	}
+
+	#[\Override]
+	public function run(IOutput $output): void {
+		$alg = $this->talkConfig->getSignalingTokenAlgorithm();
+
+		if ($alg === 'ES384') {
+			try {
+				$this->talkConfig->getSignalingTicket(2, null);
+			} catch (\Exception $e) {
+				$this->appConfig->setAppValue('signaling_token_privkey_' . strtolower($alg), '');
+				$this->appConfig->setAppValue('signaling_token_pubkey_' . strtolower($alg), '');
+
+				$this->talkConfig->getSignalingTokenPrivateKey($alg);
+			}
+		}
+	}
+}