# OL-4254 — Update signature verify failed (minisign)
> The staging binary's minisign signature did not verify against any
> trusted public key. **This is a security signal.** The apply pipeline
> aborted before the swap; the running binary is unchanged.
## When this fires
- The release artefact was signed with a key not in `signing/openlatch-provider.pub`.
- The tarball was tampered with after signing.
- `parse_trusted_keys` returned an empty list (release `.pub` file was
empty — never expected in shipped binaries).
## How to fix it
1. **Don't bypass.** This error is what the auto-update trust boundary
is designed to surface. Treat a recurring `OL-4254` as a security
incident.
2. Confirm you're running an official build:
`openlatch-provider --version` and compare against
https://github.com/OpenLatch/openlatch-provider/releases.
3. If you're a maintainer mid-rotation, ensure the new public key is
committed to `signing/openlatch-provider.pub` before publishing.
See `signing/README.md`.
## Related
- `.claude/rules/auto-update.md` — Trust boundary section.
- `signing/README.md` — rotation procedure (dual-sign window).
- Telemetry event: `update_signature_failed`.