Error when invoking chaincode: signature set did not satisfy policy

Question

I have a little network up in Hyperledger Fabric 1.4 which is very similar to the basic-network from the examples. It has:

One orderer organization with orderer peer One Hospital organization with two peers. A single channel on which the peers of the hospital are.

I tried to write a very simple demo smart contract/chaincode and have it invoked. (The smart contract is called bananascc)

Running from the docker container cli /bin/bash associated to a peer0.hospital1.health.com peer, I successfully install and instantiate:

peer chaincode install -n bananascc -v 1.0 -l node -p /opt/gopath/src/github.com/chaincode/chaincode_bananas/node

peer chaincode instantiate -o orderer.health.com:7050 --tls --cafile /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/health.com/orderers/orderer.health.com/msp/tlscacerts/tlsca.health.com-cert.pem -C hospital1channel -n bananascc -l node -v 1.0 -c '{"Args":["init","edo","100"]}' -P "OR ('Hospital1MSP.admin', 'Hospital1MSP.peer' )"

With policy -P "OR ('Hospital1MSP.admin', 'Hospital1MSP.peer' )"

But when I try to invoke the chaincode, the transaction is sent successfully but the operation is not executed, as I get a

peer0.hospital1.health.com    | 2019-03-06 10:36:44.525 UTC [vscc] Validate -> ERRO 07e VSCC error: stateBasedValidator.Validate failed, err validation of endorsement policy for chaincode bananascc in tx 6:0 failed: signature set did not satisfy policy

peer0.hospital1.health.com    | 2019-03-06 10:36:44.525 UTC [committer.txvalidator] validateTx -> ERRO 07f VSCCValidateTx for transaction txId = d6726e0b2daf11d0e3ef24e86fa0e7a5530f2d98dcc4ad1f0d266ca642be1ee3 returned error: validation of endorsement policy for chaincode bananascc in tx 6:0 failed: signature set did not satisfy policy

I reckon that the transaction has to be evaluated against a valid signature set, but I can't understand where I can specify this, or why it should be wrong according to VSCC.

I'd be very happy if anyone could help me figure out. I have already broadly looked for an answer which I haven't found.

Let me know if you need other information on the issue.

Thank you very much.

Answer 1

The problem is probably caused by the order of instantiating the policies.

Can you simply swap the declaration to:

peer chaincode instantiate -o orderer.health.com:7050 --tls --cafile /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/health.com/orderers/orderer.health.com/msp/tlscacerts/tlsca.health.com-cert.pem -C hospital1channel -n bananascc -l node -v 1.0 -c '{"Args":["init","edo","100"]}' -P "OR ('Hospital1MSP.peer','Hospital1MSP.admin')"

To avoid this pitfall, identities should be specified from most privileged to least privileged in the policy identities specification, and signatures should be ordered from least privileged to most privileged in the signature set.

Read here: https://hyperledger-fabric.readthedocs.io/en/release-1.4/policies.html

Answer 2

If there is only one organization, does not make sense the need of a policy (only used between organizations), so I removed and it worked!

My code line:

peer chaincode instantiate -o orderer.orgX.com:7050 --tls $CORE_PEER_TLS_ENABLED --cafile $ORDERER_CA -C $CHANNEL_NAME -n mycc -l ${LANGUAGE} -v 1.0 -c '{"Args":["init","a","100","b","200"]}'  >&log.txt