feat(signing-and-verifying): creating go sample A2A 1.0.3#628
feat(signing-and-verifying): creating go sample A2A 1.0.3#628Iwaniukooo11 wants to merge 2 commits into
Conversation
There was a problem hiding this comment.
Code Review
This pull request introduces a new Go sample agent demonstrating the signing and verification of AgentCards using JWS. Feedback on the changes focuses on improving the security and robustness of the implementation. Specifically, the reviewer suggests strictly adhering to RFC 8785 (JCS) for JSON canonicalization using the jcs package, disabling standard JWT claims validation when parsing the JWS payload, and using a custom http.Client with a configured timeout to avoid hanging requests and mitigate potential SSRF vulnerabilities.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
| func canonicalizeAgentCard(card *a2a.AgentCard) ([]byte, error) { | ||
| data, err := json.Marshal(card) | ||
| if err != nil { | ||
| return nil, err | ||
| } | ||
| var raw map[string]any | ||
| if err := json.Unmarshal(data, &raw); err != nil { | ||
| return nil, err | ||
| } | ||
| delete(raw, "signatures") | ||
|
|
||
| cleaned := cleanEmpty(raw) | ||
| if cleaned == nil { | ||
| return []byte("{}"), nil | ||
| } | ||
| return json.Marshal(cleaned) | ||
| } |
There was a problem hiding this comment.
While json.Marshal in Go sorts map keys alphabetically, it does not strictly adhere to the JSON Canonicalization Scheme (JCS) specified in RFC 8785 (e.g., handling of numbers, whitespace, and escaping). Since github.com/gowebpki/jcs is already a dependency in go.mod, you should use jcs.Format to ensure strict compliance with RFC 8785.
func canonicalizeAgentCard(card *a2a.AgentCard) ([]byte, error) {
data, err := json.Marshal(card)
if err != nil {
return nil, err
}
var raw map[string]any
if err := json.Unmarshal(data, &raw); err != nil {
return nil, err
}
delete(raw, "signatures")
cleaned := cleanEmpty(raw)
if cleaned == nil {
return jcs.Format([]byte("{}"))
}
cleanedBytes, err := json.Marshal(cleaned)
if err != nil {
return nil, err
}
return jcs.Format(cleanedBytes)
}6789809 to
538d005
Compare
This PR introduces a n Agent Card Signing + Verification sample in Go under samples/go/agents/signing-and-verifying
It is designed as a modern, 1-to-1 Go equivalent of samples/python/agents/signing-and-verifying, adhering strictly to the A2A v1.0.3 specification