Description
"Failed to verify event signature from minion minion_name" in /var/log/salt/master

Setup
Debian 11.11 both on master and minion
Salt 3006.13 LTS both on minion and master

• on minion: salt-common salt-minion deb packages
• on master: salt-common salt-master deb packages

Master conf:

drop_messages_signature_fail: True
log_level: info
master_sign_pubkey: True

Minion conf:

master: ip_address_of_master
minion_sign_messages: True
verify_master_pubkey_sign: True
always_verify_signature: True

Please be as specific as possible and give set-up details.

• on-prem machine
• VM (Virtualbox, KVM, etc. please specify). Both running as VM's in virtualbox
• VM running on a cloud service, please be explicit and add details
• container (Kubernetes, Docker, containerd, etc. please specify)
• or a combination, please be explicit
• jails if it is FreeBSD
• classic packaging
• onedir packaging
• used bootstrap to install

Steps to Reproduce the behavior

1. Setup minion and master.
2. Remove default config files
3. Use the configurations listed above
4. copy master:/etc/salt/master/master_sign.pub to minion:/etc/salt/minion/master_sign.pub
5. restart minion
6. accept minion key on master
7. issue salt minion test.ping
8. Observe "Failed to verify event signature from minion minion_name" in /var/log/salt/master

Expected behavior
Master verifies that event came from the correct minion by checking that event is signed with minion's private key.

Screenshots
N/A

Versions Report

Salt Version:
          Salt: 3006.13
 
Python Version:
        Python: 3.10.17 (main, Jun  9 2025, 20:41:48) [GCC 11.2.0]
 
Dependency Versions:
          cffi: 1.14.6
      cherrypy: unknown
  cryptography: 42.0.5
      dateutil: 2.8.1
     docker-py: Not Installed
         gitdb: Not Installed
     gitpython: Not Installed
        Jinja2: 3.1.6
       libgit2: Not Installed
  looseversion: 1.0.2
      M2Crypto: Not Installed
          Mako: Not Installed
       msgpack: 1.0.2
  msgpack-pure: Not Installed
  mysql-python: Not Installed
     packaging: 22.0
     pycparser: 2.21
      pycrypto: Not Installed
  pycryptodome: 3.19.1
        pygit2: Not Installed
  python-gnupg: 0.4.8
        PyYAML: 6.0.1
         PyZMQ: 23.2.0
        relenv: 0.19.3
         smmap: Not Installed
       timelib: 0.2.4
       Tornado: 4.5.3
           ZMQ: 4.3.4
 
System Versions:
          dist: debian 11 bullseye
        locale: utf-8
       machine: x86_64
       release: 5.10.0-35-amd64
        system: Linux
       version: Debian GNU/Linux 11 bullseye

Additional context
The problem started to appear with minions 3006.x. Older minion versions continue to work, and signatures are not failing on salt master 3006.13 LTS. Not sure when the bug on the minion side (I assume minion side, because older minions continue to work with event signatures and master is not complaining) was introduced. In my opinion having minions signing replies is essential security feature, because event signature provides a verification method for verifying that event reply came from the correct minion on not some other minion claiming to be the correct minion.