xid key all fails on XIDs with custom assertions #13
Description
xid key all fails on XIDs with custom assertions
Description
The envelope xid key all command fails with "the envelope's subject is not a known value" when processing a valid XID that has custom assertions added via envelope assertion add.
The XID subject is valid and unchanged—only additional assertions have been added to the envelope. The 'key' assertion containing the keys is present and unmodified.
Environment
- bc-envelope-cli version: 0.27.0
- Platform: macOS Darwin 25.1.0
Expected Behavior
The envelope xid key all command should successfully extract keys from any valid XID envelope, regardless of what additional assertions exist on the XID structure.
Actual Behavior
Error: envelope parsing error
Caused by:
the envelope's subject is not a known value
Steps to Reproduce
1. Create a valid XID (works)
PASSWORD="test password"
# Generate keys and create XID
PRVKEYS=$(envelope generate prvkeys)
PUBKEYS=$(envelope generate pubkeys "$PRVKEYS")
XID=$(envelope xid new --nickname "TestUser" "$PUBKEYS")
XID=$(envelope xid inception --password "$PASSWORD" "$XID")
XID=$(envelope sign --signer "$PRVKEYS" "$XID")
# Save keys for later
SAVED_PRVKEYS="$PRVKEYS"
# This WORKS:
envelope xid key all --private --password "$PASSWORD" "$XID"
# Returns: ur:crypto-prvkeys/...2. Add a custom assertion (fails)
# Unwrap, add assertion, re-wrap and sign
UNWRAPPED=$(envelope extract wrapped "$XID")
UNWRAPPED=$(envelope assertion add pred-obj string "customField" string "customValue" "$UNWRAPPED")
WRAPPED=$(envelope subject type wrapped "$UNWRAPPED")
MODIFIED_XID=$(envelope sign --signer "$SAVED_PRVKEYS" "$WRAPPED")
# This FAILS:
envelope xid key all --private --password "$PASSWORD" "$MODIFIED_XID"
# Error: envelope parsing error
# Caused by: the envelope's subject is not a known valueComparison
Original XID structure (commands work):
{
XID(bd631818) [
'key': PublicKeys(...) [...]
'provenance': ProvenanceMark(...) [...]
]
} [
'signed': Signature(Ed25519)
]
Modified XID structure (commands fail):
{
XID(bd631818) [
"customField": "customValue" ← Added assertion
'key': PublicKeys(...) [...] ← Unchanged
'provenance': ProvenanceMark(...) [...] ← Unchanged
]
} [
'signed': Signature(Ed25519)
]
Both have:
- Identical
XID(bd631818)subject - Identical
'key'assertion with encrypted private keys - Identical
'provenance'assertion
The only difference is the additional "customField" assertion.
Use Case
The XID tutorials and specification encourage adding custom data to XIDs:
- Service account links (GitHub, social media)
- SSH signing keys for Git commit verification
- Attestations and endorsements
- Contact information
Users need to extract keys from these enriched XIDs for re-signing after modifications.
Current Workaround
Extract and save private keys before adding custom assertions, then load the saved keys for future operations:
# Before adding assertions, save the keys
PRVKEYS=$(envelope xid key all --private --password "$PASSWORD" "$XID")
echo "$PRVKEYS" > my-xid-prvkeys.envelope
# Later, load saved keys instead of extracting
PRVKEYS=$(cat my-xid-prvkeys.envelope)Suggested Fix
The xid key all command should:
- Verify the envelope's subject is a valid XID type (
XID(...)) - Find the
'key'assertion by its known predicate - Extract keys from that assertion
- Ignore other assertions on the XID
This would make the command tolerant of XIDs that have been enriched with additional data.
Related
See also: xid provenance get and xid provenance next have the same issue (separate issue #14)