tests(agent_card): reference canonicalization vectors for CARD-SIGN-001/002 (JCS signing payload)#194
Conversation
…01/002 Standalone RFC 8785 (JCS) canonical signing payload vectors for the CARD-SIGN canonicalization requirements (task-29 coverage gap). Uses pytest.importorskip so it skips where rfc8785 is absent and adds no required dependency, and does not change the NOT_AUTOMATABLE status. cardsign-canon-001 matches the spec section 8.4.1 worked example.
There was a problem hiding this comment.
Code Review
This pull request introduces reference canonicalization vectors and a corresponding test suite for A2A AgentCard signing (CARD-SIGN-001, CARD-SIGN-002). It adds a JSON file containing test cases and a Python test file using pytest and RFC 8785 (JCS) to verify that the canonical signing payload is correctly generated by excluding the signatures field. There are no review comments, so I have no feedback to provide.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
|
@millsmillsymills this closes the CARD-SIGN gap from task-29 with concrete vectors. It adds Worth flagging why a deterministic vector here is useful right now. Agent-card identity is being discussed at length elsewhere, there is a 230-comment thread still thrashing out a claim-type framework for it, but the signing-canonicalization question specifically is not open: 8.4.1 and 8.4.2 already settle it. Without a known-good conformance vector, every implementer re-derives the canonical bytes by hand, which is exactly how signing implementations silently diverge. A committed vector set gives the kit a byte-level baseline, so a signer either matches the spec or it does not. Happy to reshape it to fit however you want the CARD-SIGN suite structured. |
kuangmi-bit
left a comment
There was a problem hiding this comment.
Verified: all 3 vectors reproduce byte-for-byte with stock rfc8785==0.1.4. Lint clean.
Clean design — the importorskip pattern keeps zero dependency footprint, and the three vectors cover minimal card (CARD-SIGN-001), signatures-exclusion (CARD-SIGN-002), and richer card with nested objects (CARD-SIGN-001 stress).
One follow-up: CARD-SIGN-003 (protected header decode + alg/kid validation) is the next logical addition now that the canonicalization baseline is committed. I am working on that next — will open a separate PR.
What
Standalone reference vectors for AgentCard signing canonicalization, toward the CARD-SIGN coverage gap noted in task-29.
card_signing_canonicalization_vectors.json: AgentCards paired with their expected RFC 8785 (JCS) canonical signing payload after thesignaturesfield is excluded.test_card_signing_canonicalization.py: checks a canonicalizer reproduces those bytes. Usespytest.importorskip("rfc8785"), so it skips where the library is absent and adds no required dependency.Why
CARD-SIGN-001 (8.4.1, JCS canonicalization) and CARD-SIGN-002 (8.4.1, exclude signatures) are tagged NOT_AUTOMATABLE because the SUT internal canonicalization is not observable. These vectors do not change that. They give the kit fixed, known good canonical payloads so a canonicalization implementation can be checked against bytes rather than prose.
cardsign-canon-001matches the spec's own section 8.4.1 worked example.Scope
No SUT machinery, no new required dependency, neutral RFC 8785. The signatures present case proves exclusion (CARD-SIGN-002).
Source
Vectors are derived from
card_ref, an open content addressed AgentCard reference ("sha256:"plus SHA-256(JCS(card without signatures))), published at github.com/chopmob-cloud/AlgoVoi-A2A-Card and in the algovoi-jcs-conformance-vectors corpus (setcard_ref_v1), Apache-2.0. card_ref supports either option: standalone (non-keystone) use, or composition into a keystone chain. Only the standalone AgentCard canonicalization is relevant to this contribution.