Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add github-public-key-signature and github-public-key-identifier headers #2

Open
gr2m opened this issue Aug 27, 2024 · 2 comments
Open

Comments

@gr2m
Copy link
Collaborator

gr2m commented Aug 27, 2024

We should expect that copilot extension apps do proper payload validation. It could be bypassed in local development if necessary, but I would avoid it if possible.

I'm not sure how the signature is currently calculated. I assume it is using the app's private key? If so, we would need to expose the private key to the CLI extension.

Without sending the signature header, the CLI extension cannot be used to test apps that implement the payload verification

@gr2m gr2m changed the title Add signature header Add github-public-key-signature and github-public-key-identifier headers Sep 6, 2024
@marzvrover
Copy link

@gr2m the signature is calculated using a common EDCSA private key, following the paved path from the secret scanning program. The way to include this in the debug tool would be to send the messages through the GitHub platform to be signed. Currently this tool is designed to directly talk to the agent.

@gr2m
Copy link
Collaborator Author

gr2m commented Sep 11, 2024

An alternative path we discussed would be for the debug CLI to create its own private key and expose its own version of https://api.github.com/meta/public_keys/copilot_api, then dynamically configure the URL of that endpoint in apps (which we'll have to do anyway in our SDKs for enterprise compatibility). But this will obviously more work.

Would this be a viable path though? If so, we could mark the issue as "pull requests welcome" to encourage the community to build that out, if none of the Hubbers can prioritize it anytime soon?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants