fix: throw error if signature type not supported

jxom · jxom · commit e7509364b3e9 · 2025-12-17T09:32:44.000+11:00
diff --git a/.changeset/chilled-balloons-smile.md b/.changeset/chilled-balloons-smile.md
@@ -0,0 +1,5 @@
+---
+"ox": patch
+---
+
+Throw error if signature envelope type not supported.
diff --git a/src/tempo/SignatureEnvelope.test.ts b/src/tempo/SignatureEnvelope.test.ts
@@ -1857,7 +1857,7 @@ describe('verify', () => {
   })
 
   describe('keychain', () => {
-    test('behavior: returns false for keychain signatures', () => {
+    test('error: throws for keychain signatures', () => {
       const privateKey = Secp256k1.randomPrivateKey()
       const secp256k1PublicKey = Secp256k1.getPublicKey({ privateKey })
       const payload = '0xdeadbeef' as const
@@ -1869,12 +1869,14 @@ describe('verify', () => {
         inner: innerEnvelope,
       })
 
-      expect(
+      expect(() =>
         SignatureEnvelope.verify(envelope, {
           payload,
           publicKey: secp256k1PublicKey,
         }),
-      ).toBe(false)
+      ).toThrowErrorMatchingInlineSnapshot(
+        `[SignatureEnvelope.VerificationError: Unable to verify signature envelope of type "keychain".]`,
+      )
     })
   })
 })
diff --git a/src/tempo/SignatureEnvelope.ts b/src/tempo/SignatureEnvelope.ts
@@ -957,7 +957,7 @@ export declare namespace validate {
  * Supports `secp256k1`, `p256`, and `webAuthn` signature types.
  *
  * :::warning
- * `keychain` signatures are not supported and will return `false`.
+ * `keychain` signatures are not supported and will throw an error.
  * :::
  *
  * @example
@@ -1068,44 +1068,42 @@ export function verify(
   })()
   if (!address) return false
 
-  try {
-    const envelope = from(signature)
-
-    if (envelope.type === 'secp256k1') {
-      if (!address) return false
-      return ox_Secp256k1.verify({
-        address,
-        payload,
-        signature: envelope.signature,
-      })
-    }
+  const envelope = from(signature)
 
-    if (envelope.type === 'p256') {
-      const envelopeAddress = Address.fromPublicKey(envelope.publicKey)
-      if (!Address.isEqual(envelopeAddress, address)) return false
-      return ox_P256.verify({
-        hash: envelope.prehash,
-        publicKey: envelope.publicKey,
-        payload,
-        signature: envelope.signature,
-      })
-    }
+  if (envelope.type === 'secp256k1') {
+    if (!address) return false
+    return ox_Secp256k1.verify({
+      address,
+      payload,
+      signature: envelope.signature,
+    })
+  }
 
-    if (envelope.type === 'webAuthn') {
-      const envelopeAddress = Address.fromPublicKey(envelope.publicKey)
-      if (!Address.isEqual(envelopeAddress, address)) return false
-      return ox_WebAuthnP256.verify({
-        challenge: Hex.from(payload),
-        metadata: envelope.metadata,
-        publicKey: envelope.publicKey,
-        signature: envelope.signature,
-      })
-    }
+  if (envelope.type === 'p256') {
+    const envelopeAddress = Address.fromPublicKey(envelope.publicKey)
+    if (!Address.isEqual(envelopeAddress, address)) return false
+    return ox_P256.verify({
+      hash: envelope.prehash,
+      publicKey: envelope.publicKey,
+      payload,
+      signature: envelope.signature,
+    })
+  }
 
-    return false
-  } catch {
-    return false
+  if (envelope.type === 'webAuthn') {
+    const envelopeAddress = Address.fromPublicKey(envelope.publicKey)
+    if (!Address.isEqual(envelopeAddress, address)) return false
+    return ox_WebAuthnP256.verify({
+      challenge: Hex.from(payload),
+      metadata: envelope.metadata,
+      publicKey: envelope.publicKey,
+      signature: envelope.signature,
+    })
   }
+
+  throw new VerificationError(
+    `Unable to verify signature envelope of type "${envelope.type}".`,
+  )
 }
 
 export declare namespace verify {
@@ -1173,3 +1171,10 @@ export class InvalidSerializedError extends Errors.BaseError {
     })
   }
 }
+
+/**
+ * Error thrown when a signature envelope fails to verify.
+ */
+export class VerificationError extends Errors.BaseError {
+  override readonly name = 'SignatureEnvelope.VerificationError'
+}

-Original file line number
+Diff line change
@@ @@ -0,0 +1,5 @@ @@
 +---
 +"ox": patch
 +---
++
 +Throw error if signature envelope type not supported.