Skip to content

fix: disable ICP query signature verification to resolve TrustError#3398

Draft
bernd2022 wants to merge 2 commits intodevelopfrom
fix/icp-query-verification
Draft

fix: disable ICP query signature verification to resolve TrustError#3398
bernd2022 wants to merge 2 commits intodevelopfrom
fix/icp-query-verification

Conversation

@bernd2022
Copy link
Collaborator

@bernd2022 bernd2022 commented Mar 12, 2026

Summary

  • Disables verifyQuerySignatures in the ICP HttpAgent to fix persistent TrustError: Query response did not contain any node signatures on production (Azure)
  • The @dfinity/agent v3.4.3 fetchSubnetKeys() call fails consistently on Azure, blocking all ICP query operations
  • Update calls (transfers) are unaffected as they use consensus verification

Root Cause

The HttpAgent.query() method calls fetchSubnetKeys() via read_state to verify node signatures. On Azure, this returns empty subnet data, causing every ICP query to fail — balances, tx confirmations, and payment link balances.

Impact

All ICP operations were broken on production:

  • BlockchainAdapter.updateBalancesFor (balance updates every ~30s)
  • PayInService.checkInputConfirmations (tx completion for block 34726178)
  • PaymentBalanceService.getPaymentBalances (payment link balances)

Test plan

  • TypeCheck passes
  • Build succeeds
  • Verified locally: ICP balance query, ckUSDT balance query, query_blocks (block height) all work with the fix
  • Deploy to production and verify no more TrustError in Application Insights

@bernd2022
fix: disable ICP query signature verification to resolve TrustError
3c42159 
The @dfinity/agent v3.4.3 fails on Azure with "Query response did not
contain any node signatures" because fetchSubnetKeys returns empty
responses from IC boundary nodes. This blocks all ICP operations
(balances, tx confirmations, payment links).

Setting verifyQuerySignatures: false skips the subnet key verification
for query calls while update calls (transfers) remain unaffected as
they use consensus verification.
@bernd2022
fix: harden ICP HttpAgent against query verification and expiry failures
8f3e238 
The @dfinity/agent v3.4.3 on Azure fails with "TrustError: Query
response did not contain any node signatures". The fetchSubnetKeys()
read_state call is rejected with "Invalid request expiry", preventing
all ICP query operations (balances, tx confirmations, payment links).

- verifyQuerySignatures: false skips the failing fetchSubnetKeys()
  call entirely. Only affects query (read) calls; update calls
  (transfers) remain consensus-verified.
- shouldSyncTime: true lets the agent sync its internal clock with
  the IC network to prevent ingress expiry rejections.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@davidleomay davidleomay Awaiting requested review from davidleomay davidleomay will be requested when the pull request is marked ready for review davidleomay is a code owner

@TaprootFreak TaprootFreak Awaiting requested review from TaprootFreak TaprootFreak will be requested when the pull request is marked ready for review TaprootFreak is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@bernd2022