Block Committed Even After Endorsement Policy Failure In Hyperledger Fabric v1.4

Question

I have set my endorsement policy as "AND ('Org1MSP.peer','OrgMainMSP.peer')" that means I need certificates of both the organizations to perform transactions successfully.

Transaction Performed as below:

peer chaincode invoke -o orderer0.org.com:7050 --tls --cafile /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/org.com/orderers/orderer0.org.com/msp/tlscacerts/tlsca.org.com-cert.pem -n accessControl --peerAddresses peer0.org-main.com:7051 --tlsRootCertFiles /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org-main.com/peers/peer0.org-main.com/tls/ca.crt --peerAddresses peer0.org1.com:10051 --tlsRootCertFiles /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.com/peers/peer0.org1.com/tls/ca.crt -c '{"Args":[]}'

It worked all fine. Successfully committed a new block and can be seen on the couchdb as well. But when I send the transaction removing one of the certificate as can be seen below:

"peer chaincode invoke -o orderer0.org.com:7050 --tls --cafile /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/org.com/orderers/orderer0.org.com/msp/tlscacerts/tlsca.org.com-cert.pem -n accessControl --peerAddresses peer0.org-main.com:7051 --tlsRootCertFiles /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org-main.com/peers/peer0.org-main.com/tls/ca.crt -c '{"Args":[]}' "

New block is committed with a transaction but marked as invalid by the committer with following error message on the logs

peer0.org-main.com | 2020-03-20 07:59:30.868 UTC [vscc] Validate -> ERRO 094 VSCC error: stateBasedValidator.Validate failed, err validation of endorsement policy for chaincode accessControl in tx 7:0 failed: signature set did not satisfy policy

peer0.org-main.com | 2020-03-20 07:59:30.868 UTC [valimpl] preprocessProtoBlock -> WARN 097 Channel [myc]: Block [7] Transaction index [0] TxId [01246b27c11f94124aee3c4ac84a011be51a26aaa50fc28f1d6f5f5a8860c079] marked as invalid by committer. Reason code [ENDORSEMENT_POLICY_FAILURE]

peer0.org-main.com | 2020-03-20 07:59:31.156 UTC [kvledger] CommitWithPvtData -> INFO 098 [myc] Committed block [7] with 1 transaction(s) in 287ms (state_validation=0ms block_and_pvtdata_commit=220ms state_commit=17ms) commitHash=[9d52225ddbc8f6f98edd37388cbcf369fea22666b9ec1cff1a91debdebc2d2a1]

And when I again submit the transaction passing both the certificates, It throws an error as

Error: could not assemble transaction: ProposalResponsePayloads do not match - proposal response: version:1 response status:200 payload:... >

The problem here is that if I mistakenly call invoke function passing only one certificate of an organization (endorsement policy failure) then I am not able to further transactions.

Answer 1

1. Transaction signed according the endorsement policy.

That's OK. Block committed and state updated.

2. Transaction signatures do not match the endorsement policy.

That's OK. Your client better doesn't try to commit that transaction, but if it does, a new block is committed with an invalid transaction and state is not updated.

3. ProposalResponsePayloads do not match.

Now the problem is different. I don't think it has relationship with previous transaction. The signatures are the expected ones, but you are composing a transaction with 2 transaction proposals that do not match. Their response or writeset is not the same. Be sure that you are not using external calls, random numbers, timestamps (other than the ones for the transaction or block) or similar values in your chaincode that might not match in both endorsements. Of course, transaction is invalidated, but a new block is committed.