hyperledger · cendhu · Jan 5, 2026 · Dec 17, 2025
diff --git a/loadgen/workload/sign.go b/loadgen/workload/sign.go
@@ -116,7 +116,7 @@ func NewPolicyEndorserVerifier(profile *Policy) *NsPolicyEndorserVerifier {
 		logger.Debugf("Generating new keys")
 		signingKey, verificationKey = sigtest.NewKeyPairWithSeed(profile.Scheme, profile.Seed)
 	}
-	v, err := sigtest.NewNsVerifierFromKey(profile.Scheme, verificationKey)
+	v, err := signature.NewNsVerifierFromKey(profile.Scheme, verificationKey)
 	utils.Must(err)
 	endorser, err := sigtest.NewNsEndorserFromKey(profile.Scheme, signingKey)
 	utils.Must(err)

diff --git a/service/query/query_service_test.go b/service/query/query_service_test.go
@@ -280,9 +280,12 @@ func TestQueryPolicies(t *testing.T) {
 		delete(expectedNamespaces, p.Namespace)
 		item, parseErr := policy.CreateNamespaceVerifier(p, nil)
 		require.NoError(t, parseErr)
-		p := item.NamespacePolicy.GetThresholdRule()
-		require.NotNil(t, p)
-		require.Equal(t, signature.Ecdsa, p.Scheme)
+		require.NotNil(t, item)
+		pol, parseErr := policy.UnmarshalNamespacePolicy(p.Policy)
+		require.NoError(t, parseErr)
+		rule := pol.GetThresholdRule()
+		require.NotNil(t, rule)
+		require.Equal(t, signature.Ecdsa, rule.Scheme)
 	}
 
 	configTX, err := env.clientConn.GetConfigTransaction(t.Context(), nil)

diff --git a/service/verifier/policy/policy.go b/service/verifier/policy/policy.go
@@ -84,14 +84,23 @@ func CreateNamespaceVerifier(
 		return nil, err
 	}
 
-	pol := &applicationpb.NamespacePolicy{}
-	if err := proto.Unmarshal(pd.Policy, pol); err != nil {
-		return nil, errors.Wrap(err, "failed to unmarshal namepsace policy bytes")
+	pol, err := UnmarshalNamespacePolicy(pd.Policy)
+	if err != nil {
+		return nil, err
 	}
-
 	return signature.NewNsVerifier(pol, idDeserializer)
 }
 
+// UnmarshalNamespacePolicy unmarshals namespace policy bytes to a [applicationpb.NamespacePolicy] proto.
+func UnmarshalNamespacePolicy(policyBytes []byte) (*applicationpb.NamespacePolicy, error) {
+	pol := &applicationpb.NamespacePolicy{}
+	err := proto.Unmarshal(policyBytes, pol)
+	if err != nil {
+		return nil, errors.Wrap(err, "failed to unmarshal namespace policy bytes")
+	}
+	return pol, nil
+}
+
 // validateNamespaceIDInPolicy checks that a given namespace fulfills namespace naming conventions.
 func validateNamespaceIDInPolicy(nsID string) error {
 	// If it matches one of the system's namespaces it is invalid.

diff --git a/service/verifier/policy/policy_test.go b/service/verifier/policy/policy_test.go
@@ -71,7 +71,10 @@ func TestParsePolicyItem(t *testing.T) {
 			pd := MakePolicy(t, ns, p)
 			retP, err := CreateNamespaceVerifier(pd, nil)
 			require.NoError(t, err)
-			test.RequireProtoEqual(t, p, retP.NamespacePolicy)
+			require.NotNil(t, retP)
+			pol, err := UnmarshalNamespacePolicy(pd.Policy)
+			require.NoError(t, err)
+			test.RequireProtoEqual(t, p, pol)
 		})
 	}
 

diff --git a/service/verifier/verify.go b/service/verifier/verify.go
@@ -55,7 +55,8 @@ func (v *verifier) updatePolicies(
 	// While it is unlikely that policy parsing would fail at this stage, it could happen
 	// if the stored policy in the database is corrupted or maliciously altered, or if there is a
 	// bug in the committer that modifies the policy bytes.
-	newVerifiers, err := createVerifiers(update, v.bundle.MSPManager())
+	idDeserializer := v.bundle.MSPManager()
+	newVerifiers, err := createVerifiers(update, idDeserializer)
 	if err != nil {
 		return errors.Join(ErrUpdatePolicies, err)
 	}
@@ -69,9 +70,9 @@ func (v *verifier) updatePolicies(
 		}
 
 		// If there is a config update, the verifier for signature policies must be
-		// recreated to use the latest MSP Manager from the new configuration.
-		if update.Config != nil && nsVerifier.NamespacePolicy.GetMspRule() != nil {
-			nsVerifier, err = signature.NewNsVerifier(nsVerifier.NamespacePolicy, v.bundle.MSPManager())
+		// updated to use the latest MSP Manager from the new configuration.
+		if update.Config != nil {
+			err = nsVerifier.UpdateIdentities(idDeserializer)
 			if err != nil {
 				return err
 			}

diff --git a/utils/signature/sigtest/bench_test.go b/utils/signature/sigtest/bench_test.go
@@ -68,7 +68,7 @@ func BenchmarkVerify(b *testing.B) {
 		sk, pk := sigtest.NewKeyPair(scheme)
 		endorser, err := sigtest.NewNsEndorserFromKey(scheme, sk)
 		require.NoError(b, err)
-		v, err := sigtest.NewNsVerifierFromKey(scheme, pk)
+		v, err := signature.NewNsVerifierFromKey(scheme, pk)
 		require.NoError(b, err)
 
 		b.Run(scheme, func(b *testing.B) {

diff --git a/utils/signature/sigtest/factory_test.go b/utils/signature/sigtest/factory_test.go
@@ -26,7 +26,7 @@ func TestEndToEnd(t *testing.T) {
 		t.Run(scheme, func(t *testing.T) {
 			t.Parallel()
 			priv, pub := NewKeyPair(scheme)
-			v, err := NewNsVerifierFromKey(scheme, pub)
+			v, err := signature.NewNsVerifierFromKey(scheme, pub)
 			require.NoError(t, err)
 			e, err := NewNsEndorserFromKey(scheme, priv)
 			require.NoError(t, err)
@@ -55,7 +55,7 @@ func TestEcdsaPem(t *testing.T) {
 	priv, pub := NewKeyPair(scheme)
 	require.NoError(t, os.WriteFile(pemPath, append(priv, pub...), 0o600))
 
-	v, err := NewNsVerifierFromKey(scheme, pub)
+	v, err := signature.NewNsVerifierFromKey(scheme, pub)
 	require.NoError(t, err)
 	e, err := NewNsEndorserFromKey(scheme, priv)
 	require.NoError(t, err)
@@ -69,7 +69,7 @@ func TestEcdsaPem(t *testing.T) {
 	for key, value := range m {
 		t.Log(key)
 		if strings.Contains(strings.ToLower(key), "public") {
-			pemV, err = NewNsVerifierFromKey(scheme, value)
+			pemV, err = signature.NewNsVerifierFromKey(scheme, value)
 			require.NoError(t, err)
 		}
 		if strings.Contains(strings.ToLower(key), "private") {

diff --git a/utils/signature/sigtest/verify_export.go b/utils/signature/sigtest/verify_export.go