Key set is not empty

What this check verifies

This check runs after the body has parsed and the checker has confirmed there is a keys array. It confirms that array contains at least one key. An empty array fails:

{ "keys": [] }

A directory with one or more keys passes:

{ "keys": [ { "kty": "OKP", "crv": "Ed25519", "x": "...", "kid": "..." } ] }

Why it matters

The directory exists so a verifier can find a public key to check your signatures against. An empty key set offers nothing to match, so no signature can ever verify against it. A directory with no keys is not a usable directory, even though it is valid JSON in the right shape.

For that reason the checker treats an empty key set as NOT FOUND rather than assigning a low grade, the same way it treats a missing keys array or an unreachable endpoint. There is no key material to grade.

This usually means a build or deployment step emitted the wrapper but never wrote the keys into it.

How to fix it

1. Publish at least one key in the keys array.
2. Confirm your build step that assembles the directory actually inserts the key, rather than serving an empty template.
3. If you rotate keys, make sure the new key is added before the old one is removed, so the set is never momentarily empty.

The common cause is a generated directory where the key-population step failed or ran against an empty source, leaving the { "keys": [] } skeleton in place. After the fix, the array should hold each published key.

References

• RFC 7517 defines the keys member of a JSON Web Key Set.
• The web-bot-auth directory draft (draft-meunier-http-message-signatures-directory) requires the directory to publish the agent’s keys.
• How grading works explains why an empty key set is treated as NOT FOUND.