Skip to content

feat(signing-and-verifying): creating go sample A2A 1.0.3#628

Open
Iwaniukooo11 wants to merge 2 commits into
a2aproject:mainfrom
Iwaniukooo11:mateusziwaniuk/signing-and-verifying-go-feat
Open

feat(signing-and-verifying): creating go sample A2A 1.0.3#628
Iwaniukooo11 wants to merge 2 commits into
a2aproject:mainfrom
Iwaniukooo11:mateusziwaniuk/signing-and-verifying-go-feat

Conversation

@Iwaniukooo11

Copy link
Copy Markdown

This PR introduces a n Agent Card Signing + Verification sample in Go under samples/go/agents/signing-and-verifying

It is designed as a modern, 1-to-1 Go equivalent of samples/python/agents/signing-and-verifying, adhering strictly to the A2A v1.0.3 specification

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces a new Go sample agent demonstrating the signing and verification of AgentCards using JWS. Feedback on the changes focuses on improving the security and robustness of the implementation. Specifically, the reviewer suggests strictly adhering to RFC 8785 (JCS) for JSON canonicalization using the jcs package, disabling standard JWT claims validation when parsing the JWS payload, and using a custom http.Client with a configured timeout to avoid hanging requests and mitigate potential SSRF vulnerabilities.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

Comment thread samples/go/agents/signing_and_verifying/signing.go
Comment on lines +66 to +82
func canonicalizeAgentCard(card *a2a.AgentCard) ([]byte, error) {
data, err := json.Marshal(card)
if err != nil {
return nil, err
}
var raw map[string]any
if err := json.Unmarshal(data, &raw); err != nil {
return nil, err
}
delete(raw, "signatures")

cleaned := cleanEmpty(raw)
if cleaned == nil {
return []byte("{}"), nil
}
return json.Marshal(cleaned)
}

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

While json.Marshal in Go sorts map keys alphabetically, it does not strictly adhere to the JSON Canonicalization Scheme (JCS) specified in RFC 8785 (e.g., handling of numbers, whitespace, and escaping). Since github.com/gowebpki/jcs is already a dependency in go.mod, you should use jcs.Format to ensure strict compliance with RFC 8785.

func canonicalizeAgentCard(card *a2a.AgentCard) ([]byte, error) {
	data, err := json.Marshal(card)
	if err != nil {
		return nil, err
	}
	var raw map[string]any
	if err := json.Unmarshal(data, &raw); err != nil {
		return nil, err
	}
	delete(raw, "signatures")

	cleaned := cleanEmpty(raw)
	if cleaned == nil {
		return jcs.Format([]byte("{}"))
	}
	cleanedBytes, err := json.Marshal(cleaned)
	if err != nil {
		return nil, err
	}
	return jcs.Format(cleanedBytes)
}

Comment thread samples/go/agents/signing_and_verifying/signing.go
Comment thread samples/go/agents/signing_and_verifying/test_client.go
Comment thread samples/go/agents/signing_and_verifying/test_client.go
@Iwaniukooo11 Iwaniukooo11 force-pushed the mateusziwaniuk/signing-and-verifying-go-feat branch from 6789809 to 538d005 Compare June 30, 2026 13:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant