Skip to content

xid provenance get/next fails on XIDs with custom assertions #14

New issue
New issue
Open
Open
xid provenance get/next fails on XIDs with custom assertions#14
@ChristopherA

Description

@ChristopherA
ChristopherA
opened on Nov 29, 2025

xid provenance get/next fails on XIDs with custom assertions

Description

The envelope xid provenance get and envelope xid provenance next commands fail with "the envelope's subject is not a known value" when processing a valid XID that has custom assertions added via envelope assertion add.

The XID subject is valid and unchanged. The 'provenance' assertion is present and unmodified—only additional assertions have been added to the envelope.

Environment

  • bc-envelope-cli version: 0.27.0
  • Platform: macOS Darwin 25.1.0

Expected Behavior

  • envelope xid provenance get should extract the provenance mark from any valid XID
  • envelope xid provenance next should advance the provenance sequence for any valid XID

Actual Behavior

Both commands fail with:

Error: envelope parsing error

Caused by:
    the envelope's subject is not a known value

Steps to Reproduce

1. Create a valid XID (works)

PASSWORD="test password"

# Generate keys and create XID
PRVKEYS=$(envelope generate prvkeys)
PUBKEYS=$(envelope generate pubkeys "$PRVKEYS")
XID=$(envelope xid new --nickname "TestUser" "$PUBKEYS")
XID=$(envelope xid inception --password "$PASSWORD" "$XID")
XID=$(envelope sign --signer "$PRVKEYS" "$XID")

# Save keys for later
SAVED_PRVKEYS="$PRVKEYS"

# These WORK:
envelope xid provenance get "$XID"
# Returns: ur:provenance/...

envelope xid provenance next --password "$PASSWORD" "$XID"
# Returns: ur:xid/... (with advanced provenance)

2. Add a custom assertion (fails)

# Unwrap, add assertion, re-wrap and sign
UNWRAPPED=$(envelope extract wrapped "$XID")
UNWRAPPED=$(envelope assertion add pred-obj string "customField" string "customValue" "$UNWRAPPED")
WRAPPED=$(envelope subject type wrapped "$UNWRAPPED")
MODIFIED_XID=$(envelope sign --signer "$SAVED_PRVKEYS" "$WRAPPED")

# These FAIL:
envelope xid provenance get "$MODIFIED_XID"
# Error: the envelope's subject is not a known value

envelope xid provenance next --password "$PASSWORD" "$MODIFIED_XID"
# Error: the envelope's subject is not a known value

Test Results Summary

Command Original XID XID with custom assertions
xid provenance get ✅ Works ❌ Fails
xid provenance next ✅ Works ❌ Fails

Use Case

XIDs are designed to accumulate assertions over their lifetime:

  • Service links, attestations, endorsements
  • SSH keys, contact information
  • Third-party signatures

Provenance advancement is essential for the XID lifecycle—it establishes a tamper-evident timeline. Users need to advance provenance on XIDs that contain real-world data, not just bare XIDs.

Current Workaround

For xid provenance get: Manually extract the provenance assertion:

UNWRAPPED=$(envelope extract wrapped "$MODIFIED_XID")
PROV_ASSERTION=$(envelope assertion find predicate known provenance "$UNWRAPPED")
PROV_OBJECT=$(envelope extract object "$PROV_ASSERTION")
envelope format "$PROV_OBJECT"

For xid provenance next: No practical workaround. The encrypted provenance generator cannot easily be extracted, decrypted, advanced, re-encrypted, and reinserted manually.

Suggested Fix

The xid provenance commands should:

  1. Verify the envelope's subject is a valid XID type (XID(...))
  2. Find the 'provenance' assertion by its known predicate
  3. Perform the get/next operation on that assertion
  4. Ignore other assertions on the XID

Related

See also: xid key all has the same issue (separate issue #13)

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions