bad_signature

Summary

signature verification failed

Help

the request signature does not match the claimed public key

Details

When this fires

The signature was the right length and the public key was on the trust list, but the ed25519 verification failed. That means the signed bytes do not match what the server reconstructed: typically a mismatched HTTP method, request path, body, timestamp, or nonce between the client side of Canonical and the server side. Body tampering by a proxy is a common culprit. User-visible symptom: nanook ctl returns a 401 even though the key is in [admin].authorized.

What to check

• The canonical bytes are v1\n<METHOD>\n<PATH>\n<TS>\n<NONCE>\n<HEX-SHA256-BODY> (see crates/nanook-auth/src/signing.rs). Make sure no proxy rewrites the body, path, or method casing between client and agent.
• If you swapped identities recently, re-sign with the matching private key.