Situation is /var/lib/whitelist/owner.key and /var/lib/whitelist/policy.1 both present, but the signature in the policy file doesn't validate against the owner key. This can happen if session_manager crashes at the right time when re-generating an owner key. See  issue 897278  and  issue 880823  for details.

The situation is essentially that we know the device has an owner, but neither do we know what account is the owner, nor can we decode the device settings aka device policy. Chrome currently handles this by rejecting login attempts, which is correct in a sense (it can't check device policy to see whether login is allowed for a given user).

Needs further thought to figure out how to handle this.