JMO
JMO

Reputation: 103

peer chaincode instantiate - instantiation policy violation: signature set did not satisfy policy

I am using Hyperledger Fabric v1.2. I am trying to instantiate chaincode on a single peer and I just have one org and an orderer org specified on my configtx.yaml for my network. I haven't made any changes to the ACL in my configtx.yaml so its what is set to by default.

When I run this command:

./peer chaincode instantiate -o orderer1.example.com:7050  -C devchannel -n jmo01 -v 1.0 -c '{"Args":["init","a", "100", "b","200"]}' -P "OR ('SampleOrgMSP.member')" --cafile /etc/hyperledger/fabric/msp/peer1/msp/cacerts/cert.pem

It throws the following error in the peer:

Error: could not assemble transaction, err Proposal response was not successful, error code 500, msg instantiation policy violation: signature set did not satisfy policy

Profiles in configtx.yaml:

Profiles:
    # SampleDevModeKafka defines a configuration that differs from the
    # SampleDevModeSolo one only in that it uses the Kafka-based orderer.
    SampleOrgGenesis:
        <<: *ChannelDefaults
        Orderer:
            <<: *OrdererDefaults
            OrdererType: kafka
            Organizations:
                - <<: *SampleOrg
                  Policies:
                      <<: *SampleOrgPolicies
                      Admins:
                          Type: Signature
                          Rule: "OR('SampleOrgMSP.member')"
        Consortiums:
            SampleConsortium:
                Organizations:
                    - <<: *SampleOrg
                      Policies:
                          <<: *SampleOrgPolicies
                          Admins:
                              Type: Signature
                              Rule: "OR('SampleOrgMSP.member')"

    MyChannel:
        Consortium: SampleConsortium
        Application:
            <<: *ApplicationDefaults
            Organizations:
                - *SampleOrg

Organizations section at the top of configtx.yaml:

Organizations:
    - &SampleOrdererOrg
        Name: SampleOrdererOrg
        ID: SampleOrdererOrgMSP
        MSPDir: /etc/hyperledger/msp/orderer1/msp
        Policies:
            Readers:
                Type: Signature
                Rule: "OR('SampleOrdererOrgMSP.member')"
            Writers:
                Type: Signature
                Rule: "OR('SampleOrdererOrgMSP.member')"
            Admins:
                Type: Signature
                Rule: "OR('SampleOrdererOrgMSP.admin')"
            BlockValidation:
                Type: Signature
                Rule: "OR('SampleOrdererOrgMSP.member')"
    - &SampleOrg
        Name: SampleOrgMSP
        ID: SampleOrgMSP

        # MSPDir is the filesystem path which contains the MSP configuration.
        MSPDir: /etc/hyperledger/org/msp
        Policies: &SampleOrgPolicies
            Readers:
                Type: Signature
                Rule: "OR('SampleOrgMSP.member')"
            Writers:
                Type: Signature
                Rule: "OR('SampleOrgMSP.member')"
            Admins:
                Type: Signature
                Rule: "OR('SampleOrgMSP.admin')"
        AnchorPeers:
            - Host: peer1.example.com
              Port: 7051
            - Host: peer2.example.com
              Port: 7051
            - Host: peer3.example.com
              Port: 7051

I'm thinking it has something to do with how I'm making the instantiation command and maybe I don't have the policy correctly set. One of the policies is requiring a certain type of org user to complete the instantiation but I'm not sure which one it is where its member or admin and then what org msp should I be specifying.

Upvotes: 1

Views: 2022

Answers (1)

Gari Singh
Gari Singh

Reputation: 12053

The instantiate request must be signed by an admin for the organization. From the config above, you'd need to sign with the private key corresponding to the admin public key in /etc/hyperledger/org/msp (the MSPDir property of SampleOrg in your config above).

When running the peer in CLI mode, you need to make sure you set two key properties. We'll use environment variables to make it easier:

CORE_PEER_LOCALMSPID - this MSP ID for your organization. In your case, looks like it would be SampleOrgMSP.

CORE_PEER_MSPCONFIGPATH - this is the directory containing the identity which will be used to sign transactions. The directory will contain use the X509 MSP structure:

admincerts
cacerts
keystore
signcerts

Since you are acting as a client, keystore and signcerts are the most important. keystore contains the private key and signcerts contains the corresponding public key. The public key in signcerts should match the public key in admincerts in /etc/hyperledger/org/msp (the MSP info for the org in the channel definition.

Upvotes: 4

Related Questions