Skip to content

InvalidUserSignatureError when decrypting with Enoki/zkLogin, but succeeds with Slush #531

Open
Open
InvalidUserSignatureError when decrypting with Enoki/zkLogin, but succeeds with Slush#531
Assignees
joyqvq
@neth99-coder

Description

@neth99-coder
neth99-coder
opened on Apr 8, 2026

I have been working on a file storage with zkLogin/Enoki/GoogleAuth/Walrus and I have been trying to encrypt/decrypt files before storing them in Walrus.

Encryption works. I am using "allowList" access pattern and everything related to create lists/add,remove users.. works fine.

However, Seal decrypt consistently fails only for zkLogin (Enoki) users with InvalidUserSignatureError across all tested Mysten testnet servers, while the identical code path succeeds with Slush.

Tested servers:

  • seal-key-server-testnet-1 (0x73d05d...) — independent
  • seal-key-server-testnet-2 (0xf5d14a...) — independent
  • seal-aggregator-testnet (0xb01237...) — decentralized committee

What passes in both cases:

  • SessionKey.create()
  • getCertificate()
  • createRequestParams()
  • Local verification via setPersonalMessageSignature()
  • Same PTB shape (txBytesLength: 161)

What fails: server-side decrypt for zkLogin only

Key observable difference:

  • zkLogin certificate signature.length: 1300
  • Slush certificate signature.length: 132

The zkLogin signature is a valid Sui zkLogin signature but significantly larger than a standard wallet signature. The keyserver appears to not support the zkLogin signature format during certificate verification.

Expected: zkLogin users can decrypt on-chain data encrypted with Seal, consistent with Slush users.

Can anyone help me with this issue ?

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions