Skip to content

tests(agent_card): reference canonicalization vectors for CARD-SIGN-001/002 (JCS signing payload)#194

Open
chopmob-cloud wants to merge 3 commits into
a2aproject:mainfrom
chopmob-cloud:card-sign-canon-reference-vectors
Open

tests(agent_card): reference canonicalization vectors for CARD-SIGN-001/002 (JCS signing payload)#194
chopmob-cloud wants to merge 3 commits into
a2aproject:mainfrom
chopmob-cloud:card-sign-canon-reference-vectors

Conversation

@chopmob-cloud

Copy link
Copy Markdown

What

Standalone reference vectors for AgentCard signing canonicalization, toward the CARD-SIGN coverage gap noted in task-29.

  • card_signing_canonicalization_vectors.json: AgentCards paired with their expected RFC 8785 (JCS) canonical signing payload after the signatures field is excluded.
  • test_card_signing_canonicalization.py: checks a canonicalizer reproduces those bytes. Uses pytest.importorskip("rfc8785"), so it skips where the library is absent and adds no required dependency.

Why

CARD-SIGN-001 (8.4.1, JCS canonicalization) and CARD-SIGN-002 (8.4.1, exclude signatures) are tagged NOT_AUTOMATABLE because the SUT internal canonicalization is not observable. These vectors do not change that. They give the kit fixed, known good canonical payloads so a canonicalization implementation can be checked against bytes rather than prose. cardsign-canon-001 matches the spec's own section 8.4.1 worked example.

Scope

No SUT machinery, no new required dependency, neutral RFC 8785. The signatures present case proves exclusion (CARD-SIGN-002).

Source

Vectors are derived from card_ref, an open content addressed AgentCard reference ("sha256:" plus SHA-256(JCS(card without signatures))), published at github.com/chopmob-cloud/AlgoVoi-A2A-Card and in the algovoi-jcs-conformance-vectors corpus (set card_ref_v1), Apache-2.0. card_ref supports either option: standalone (non-keystone) use, or composition into a keystone chain. Only the standalone AgentCard canonicalization is relevant to this contribution.

…01/002

Standalone RFC 8785 (JCS) canonical signing payload vectors for the CARD-SIGN
canonicalization requirements (task-29 coverage gap). Uses pytest.importorskip
so it skips where rfc8785 is absent and adds no required dependency, and does
not change the NOT_AUTOMATABLE status. cardsign-canon-001 matches the spec
section 8.4.1 worked example.

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces reference canonicalization vectors and a corresponding test suite for A2A AgentCard signing (CARD-SIGN-001, CARD-SIGN-002). It adds a JSON file containing test cases and a Python test file using pytest and RFC 8785 (JCS) to verify that the canonical signing payload is correctly generated by excluding the signatures field. There are no review comments, so I have no feedback to provide.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

@chopmob-cloud

Copy link
Copy Markdown
Author

@millsmillsymills this closes the CARD-SIGN gap from task-29 with concrete vectors.

It adds card_signing_canonicalization_vectors.json plus a checker: AgentCards paired with their expected RFC 8785 (JCS) canonical signing payload after the signatures field is excluded, covering CARD-SIGN-001 (spec 8.4.1) and CARD-SIGN-002 (spec 8.4.2). The test uses pytest.importorskip("rfc8785"), so it adds no required dependency and skips cleanly where the lib is absent. CI is green.

Worth flagging why a deterministic vector here is useful right now. Agent-card identity is being discussed at length elsewhere, there is a 230-comment thread still thrashing out a claim-type framework for it, but the signing-canonicalization question specifically is not open: 8.4.1 and 8.4.2 already settle it. Without a known-good conformance vector, every implementer re-derives the canonical bytes by hand, which is exactly how signing implementations silently diverge. A committed vector set gives the kit a byte-level baseline, so a signer either matches the spec or it does not.

Happy to reshape it to fit however you want the CARD-SIGN suite structured.

@kuangmi-bit kuangmi-bit left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Verified: all 3 vectors reproduce byte-for-byte with stock rfc8785==0.1.4. Lint clean.

Clean design — the importorskip pattern keeps zero dependency footprint, and the three vectors cover minimal card (CARD-SIGN-001), signatures-exclusion (CARD-SIGN-002), and richer card with nested objects (CARD-SIGN-001 stress).

One follow-up: CARD-SIGN-003 (protected header decode + alg/kid validation) is the next logical addition now that the canonicalization baseline is committed. I am working on that next — will open a separate PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants