Multiple users have reported issues with updating their identity. We were finally able to figure out the reproduction steps.
User clicks the "Create new identity" button. The gui creates a new identity and the server sends a verification email.
Prior to verifying the identity, the user clicks the "Create new identity" button again. The gui mistakenly creates another new identity and overwrites the first unverified identity. The server returns a "verification email has already been sent" error.
Now when the user tries to verify the original identity using the link emailed to them, they'll get a invalid signature error because the wrong identity is being used to sign the verification token.
Multiple users have reported issues with updating their identity. We were finally able to figure out the reproduction steps.