A fix

keyserver/internal/cross_signing.go

@@ -120,24 +120,17 @@ func (a *KeyInternalAPI) PerformUploadDeviceKeys(ctx context.Context, req *api.P
 	}
 	for purpose, key := range toVerify {
 		// Collect together the key IDs we need to verify with. This will include
-		// all of the key IDs specified in the signatures. If the key purpose is
+		// all of the key IDs specified in the signatures. We don't do this for
-		// NOT the master key then we also need to include the master key ID here
+		// the master key because we have no means to verify the signatures - we
-		// as we won't accept a self-signing key or a user-signing key without it.
+		// instead just need to store them.
-		checkKeyIDs := make([]gomatrixserverlib.KeyID, 0, len(key.Signatures)+1)
 		if purpose != gomatrixserverlib.CrossSigningKeyPurposeMaster {
+			checkKeyIDs := make([]gomatrixserverlib.KeyID, 0, len(key.Signatures)+1)
 			for keyID := range key.Signatures[req.UserID] {
 				checkKeyIDs = append(checkKeyIDs, keyID)
 			}
 			if _, ok := key.Signatures[req.UserID][masterKeyID]; !ok {
 				checkKeyIDs = append(checkKeyIDs, masterKeyID)
 			}
-		}
-
-		// If there are no key IDs to check then there's no point marshalling
-		// the JSON.
-		if len(checkKeyIDs) == 0 && purpose == gomatrixserverlib.CrossSigningKeyPurposeMaster {
-			continue
-		}
 
 			// Marshal the specific key back into JSON so that we can verify the
 			// signature of it.
@@ -160,6 +153,7 @@ func (a *KeyInternalAPI) PerformUploadDeviceKeys(ctx context.Context, req *api.P
 					return
 				}
 			}
+		}
 
 		// If we've reached this point then all the signatures are valid so
 		// add the key to the list of keys to store.