The signer still cleared on @SignOfficial . The workflow had already stopped trusting them.
This is where this gets stupid to me.
Not fake issuer. Not bad signature. Not broken schema. Worse, in the boring way these things are usually worse. The signer was still formally there. Still recognized. Still clean in the record. SignScan showed the attestation exactly the way it was supposed to. Sign's Query layer pulled it back cleanly. And by the time somebody downstream used it, the real workflow that once made that signer appropriate had already changed shape somewhere off to the side like that did not matter.
It mattered.
Schema existed. Signer got authorized under it. Attestations started issuing. Alright. That part always looks neat. Somebody has to be allowed to sign the thing or nothing moves. Program launches, partner goes live, vendor handles the first wave, internal ops team keeps approvals moving, whatever the setup was. It worked well enough to get records out.
Then the institution changed the setup.
New vendor. New approval chain. Different scope. Narrower review boundary. Maybe the original issuer was still supposed to finish old cases but not touch new ones. Maybe a second sign-off got added and the old signer technically stayed listed while the actual workflow stopped trusting them the same way. Maybe the team still had authority in one registry and had already lost it everywhere that mattered.
Administrative mess. Favorite kind.
And the Sign ( $SIGN ) record still looked calm.
That is the ugly part.
Authorized issuer. Signed record. Clean trail. Fine. Good even.
Meanwhile the real workflow had already moved on.
The record does not come back saying the workflow already moved on. It just shows what it can show. Authorized issuer. Signed record. Valid attestation. Nice clean trail. Very reassuring if you are a later system looking for an answer and not a person trying to figure out whether the answer still belonged to the workflow you think it did.
Authorized according to which version of the institution.
That question lands late. Always late.
Recorded authority. Current authority. People flatten those into one thing fast the second Sign makes the first one look clean enough.
The original signer was real. The permission was real. The schema relationship was real. Nobody is arguing with history. The problem starts later. Another system reads that old authority like it survived everything. Vendor change. New review chain. Narrower scope. Different approval boundary. It didn’t. Not really.
And humans love moving furniture around... without even updating the parts machines read.
So the attestation on Sign protocol stays clean. The institution gets messy somewhere off to the side.
Maybe the first issuer was a regional ops vendor handling early eligibility. Fine. Then the institution tightens review and says all new approvals need central compliance sign-off before they should count for payout. Great. Better, maybe. But the old signer remains formally recognizable on Sign because nobody closed the loop cleanly. Not fully. Not everywhere. Signer still resolves. Old authority still legible. Downstream system sees recognized issuer under the schema and keeps moving.
Why would it not.
That line again. Why would it not. That is where these systems get people.
The record did not come back saying this signer was only still alive on paper. It just came back clean.
Then money or access or some compliance state moves on top of it and everybody starts talking past each other.
Ops says the issuer was still valid under the schema.
Engineering says the attestation resolves correctly.
Program team says that signer was not supposed to be used for this class of approval anymore.
Compliance says the process changed after phase one.
Treasury says yes, great, and who exactly was supposed to know that from the record they were given.
Good question. Late question, usually.
Where was that encoded. Not in policy notes. In the workflow.
Was the issuer scope narrowed anywhere the claims filter could read. Was the old signer removed from the post-change export. Was the new allowlist actually live in the payout job. Or was everybody still reading the same old issuer table and pretending the memo counted.
That is usually the one.
Shortcut is the word here. Maybe not. Maybe “authority residue” is better. No. Shortcut is uglier.
Because the clean issuer trail looks like the hard part got solved. It did not. The signature still cleared. The institution had already gotten less willing to stand behind what that signer was doing.
Paper authority. Different thing.
And on Sign the old signer does not just linger socially. It still resolves. Still maps back to the schema clean enough. Still gives the next system something machine-readable to trust. Meanwhile the workflow already left.
Which is the ugly trade-off here. You want signer history. You want traceability. You also get old authority surfaces that keep looking safer than the workflow already thinks they are.
Then the old authority starts doing new work.
That is when it gets bad.
Maybe the attestation got used in a later distribution leg the original signer was never supposed to authorize. Maybe a partner integration kept treating the old vendor approvals as current because the signer still came back valid under the schema. Maybe reporting kept counting a whole approval population as if the institutional boundary never moved. Same pattern. Clean issuer trail. Dirty organizational reality. And the later system trusts the clean thing because it is the only thing that looks machine-ready.
Machine-ready is such a lovely phrase for bad surprises.
I have seen enough admin systems to know what usually happened before the mess surfaced. Somebody said the signer would be sunset “soon.” Somebody assumed new cases would naturally stop flowing that way. Somebody thought the schema-level authority and the real approval boundary were close enough for now. Somebody left a permissions cleanup for next sprint because the launch was more urgent and the records still looked fine and, honestly, everyone was tired.
Then the older signer kept showing up in records that still verified perfectly.
And then those records got used.
Not because Sign was wrong. Because the institution changed its mind in pieces and the record only knew about the parts somebody had hardened enough to survive.
That part never really leaves once you see it. A clean issuer trail gets mistaken for current authority because it is easier to trust the thing with signatures and schema references than the thing with memos, changed vendor scopes, awkward calls, and “do not use them for new approvals anymore” floating around in human language nobody translated into a system boundary.
Human language. Great control surface.
Then someone asks why this signer was still treated as good enough for this path.
And every answer comes from an older version of the institution. The payout path had already trusted the wrong one. Whatever.