Fix Pillar payload signature error

gou177 · gou177 · commit 499e47e65ca5 · 2025-05-16T17:18:25.000+05:00
diff --git a/changelog/62318.fixed.md b/changelog/62318.fixed.md
@@ -0,0 +1 @@
+Fixed `Pillar payload signature failed to validate` error on master failover
diff --git a/salt/channel/client.py b/salt/channel/client.py
@@ -218,9 +218,12 @@ def crypted_transfer_decode_dictentry(
 
         # Validate the master's signature.
         if not self.verify_signature(signed_msg["data"], signed_msg["sig"]):
-            raise salt.crypt.AuthenticationError(
-                "Pillar payload signature failed to validate."
-            )
+            # Try to reauth on error
+            yield self.auth.authenticate()
+            if not self.verify_signature(signed_msg["data"], signed_msg["sig"]):
+                raise salt.crypt.AuthenticationError(
+                    "Pillar payload signature failed to validate."
+                )
 
         # Make sure the signed key matches the key we used to decrypt the data.
         data = salt.payload.loads(signed_msg["data"])
diff --git a/tests/pytests/unit/transport/test_zeromq.py b/tests/pytests/unit/transport/test_zeromq.py
@@ -958,6 +958,13 @@ def mocksend(msg, timeout=60, tries=3):
 
     client.transport.send = mocksend
 
+    # Minion should try to authenticate on bad signature
+    @salt.ext.tornado.gen.coroutine
+    def mockauthenticate():
+        pass
+
+    client.auth.authenticate = MagicMock(wraps=mockauthenticate)
+
     # Note the 'ver' value in 'load' does not represent the the 'version' sent
     # in the top level of the transport's message.
     load = {
@@ -977,6 +984,7 @@ def mocksend(msg, timeout=60, tries=3):
             dictkey="pillar",
         )
     assert "Pillar payload signature failed to validate." == excinfo.value.message
+    client.auth.authenticate.assert_called_once()
 
 
 async def test_req_chan_decode_data_dict_entry_v2_bad_key(

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	+Fixed `Pillar payload signature failed to validate` error on master failover