You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We should expect that copilot extension apps do proper payload validation. It could be bypassed in local development if necessary, but I would avoid it if possible.
I'm not sure how the signature is currently calculated. I assume it is using the app's private key? If so, we would need to expose the private key to the CLI extension.
Without sending the signature header, the CLI extension cannot be used to test apps that implement the payload verification
The text was updated successfully, but these errors were encountered:
gr2m
changed the title
Add signature header
Add github-public-key-signature and github-public-key-identifier headers
Sep 6, 2024
@gr2m the signature is calculated using a common EDCSA private key, following the paved path from the secret scanning program. The way to include this in the debug tool would be to send the messages through the GitHub platform to be signed. Currently this tool is designed to directly talk to the agent.
An alternative path we discussed would be for the debug CLI to create its own private key and expose its own version of https://api.github.com/meta/public_keys/copilot_api, then dynamically configure the URL of that endpoint in apps (which we'll have to do anyway in our SDKs for enterprise compatibility). But this will obviously more work.
Would this be a viable path though? If so, we could mark the issue as "pull requests welcome" to encourage the community to build that out, if none of the Hubbers can prioritize it anytime soon?
We should expect that copilot extension apps do proper payload validation. It could be bypassed in local development if necessary, but I would avoid it if possible.
I'm not sure how the signature is currently calculated. I assume it is using the app's private key? If so, we would need to expose the private key to the CLI extension.
Without sending the signature header, the CLI extension cannot be used to test apps that implement the payload verification
The text was updated successfully, but these errors were encountered: