Signed install requests from the jira-dev.com domain

As I understand, the jira-dev.com domain is reserved for internal Atlassian usage and is used for dogfooding sites for Atlassian Cloud. Everyday we get requests from this domain to check our lifecycle endpoints. It had worked successfully before for us because requests sent all required data to create/update installs, and we returned the status 200 from our lifecycle endpoints.

After migration to signed installs, we continue to get requests but we are not able to create/validate installations because we can’t download the public key for the provided id in a header (‘kid’). When we attempt to download the public key, we get the following error: “The specified key does not exist.” and 404.

Question 1
Is it possible that such requests contain no valid ‘kid’ in headers?

Question 2
Currently, we return errors in lifecycle endpoints (install/uninstall) for requests with jira-dev.com domain because we can’t download the public key. What does it mean for you? How can it be affected on our plugin if we return an error? Should we always return 200 for such test requests?

Hi @ArtemGolubnichenko,

Welcome to Developer Community.

Yes, you are right about the jira-dev.com domain, it’s our internal staging system. They keys are available to us on our internal staging key server, so they are valid, but only for us.

As for returning HTTP 200 for these requests, which apps and app keys are they for? I can ask around and find out what we’re expecting.

Regards,
James.

@jrichards

Do you expect us accepting “installed” requests for jira-dev.com domains? We reject them now. Is rejecting a right thing to do?

/cc @ArtemGolubnichenko

Hi @sergei,

I don’t have a complete answer, but I think for now rejecting them is fine. As they’re internal I’d be surprised if they even worked as you won’t have access to the internal systems we’d expect the app to work with.

Regards,
James.