We recently had a situation where we added query parameters to an LTI launch URL. Doing so caused our signature verification to fail. It appears that Canvas generates a signature using the only the domain and path and doesn't include the URL query parameters. We're using the IMS-LTI gem which generates the signature using the entire URL including the query parameters. That means that the signatures don't match and the LTI launch fails.
I'm not sure whether the spec requires that the query params be included or not. Just posting here so that others building LTI tools are aware of how the process works in case they run into issues.