From 4784010702bd784a7db79901cf37f7830d9c2e68 Mon Sep 17 00:00:00 2001
From: timedout <git@nexy7574.co.uk>
Date: Thu, 21 May 2026 19:14:51 +0100
Subject: [PATCH] fix: Ensure policy server signed with the correct key

---
 src/service/rooms/event_handler/policy_server.rs | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/src/service/rooms/event_handler/policy_server.rs b/src/service/rooms/event_handler/policy_server.rs
index 726f54ebb..0cec2d2bf 100644
--- a/src/service/rooms/event_handler/policy_server.rs
+++ b/src/service/rooms/event_handler/policy_server.rs
@@ -180,7 +180,17 @@ pub async fn policy_server_allows_event(
 		"Asking policy server to sign event"
 	);
 	self.fetch_policy_server_signature(pdu, pdu_json, &ps.via, outgoing, room_id, ps_key, 0)
-		.await
+		.await?;
+
+	// Verify that the policy server signature was made with the same public key as
+	// is in the state event, not just that it was signed.
+	if verify_policy_signature(&ps.via, ps_key, pdu_json, &room_version_rules.redaction) {
+		Ok(())
+	} else {
+		Err!(BadServerResponse(
+			"Policy server signature was made with a different key to the one advertised"
+		))
+	}
 }
 
 /// Handles an error returned by the policy server. If the error is one that