feat: Add an example extension that defines a protocol for signing messages. #238
Conversation
messages. This is an example to illustrate how extensions can be defined and implemented. The example shows a few aspects of extensions that are interesting: 1. Exposing data in an AgentCard via the `params` field 2. Requiring activation for the extension to be used. 3. Providing a library for agent developers to use in their agent implementation for direct coordination. 4. Showing decorators as an implementation pattern for transparent(ish) extension usage. I plan to follow this up with actually using this extension in a sample agent.
![gemini-code-assist[bot]](https://cdn.statically.io/img/avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Summary of Changes
Hello @mikeas1, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!
This pull request introduces a new example extension focused on message signing, designed to showcase various advanced capabilities of the A2A extension framework. It provides a complete implementation in Python along with a formal specification, demonstrating how agents can expose capabilities, require activation, and integrate custom logic for secure communication.
Highlights
- New Example Extension: I've added a new example extension for message signing (v1) to demonstrate how extensions can be defined and implemented within the A2A framework. This serves as a blueprint for future extension development.
- Message Signing Protocol: This PR defines a clear protocol for adding and verifying digital signatures on
MessageandArtifactobjects. It leverages JSON Web Signatures (JWS) and JSON Canonicalization Scheme (JCS) to ensure message integrity and authenticity. - Extension Capabilities Showcase: The example illustrates several key extension features: exposing public keys via
AgentCardparameters, requiring explicit activation for the extension to be used, and utilizing decorator patterns (SigningEventQueue,SigningAgentExecutor) for transparent integration into agent execution flows. - Python Implementation & Specification: I've provided a concrete Python implementation of the signing extension, including utility classes for signing and verification, and integration with
a2a-sdkcomponents. Additionally, a detailed Markdown specification (spec.md) outlines the extension's URI, parameters, signature field structure, and the precise signing and verification process.
Using Gemini Code Assist
The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.
Invoking Gemini
You can request assistance from Gemini at any point in your pull request via creating an issue comment (i.e. comment on the pull request page) using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands.
| Feature | Command | Description |
|---|---|---|
| Code Review | /gemini review |
Performs a code review for the current pull request in its current state. |
| Pull Request Summary | /gemini summary |
Provides a summary of the current pull request in its current state. |
| Comment | @gemini-code-assist | Responds in comments when explicitly tagged, both in issue comments and review comments. |
| Help | /gemini help |
Displays a list of available commands. |
Customization
To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.
Limitations & Feedback
Gemini Code Assist is currently in preview and may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments to provide feedback.
You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.
Footnotes
-
Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩
There was a problem hiding this comment.
Code Review
This pull request introduces a new example extension for signing A2A messages. The review focuses on correctness and consistency between the specification and the implementation, identifying critical issues like typos and incorrect API usage, as well as inconsistencies in the specification.
|
/gemini review |
There was a problem hiding this comment.
Code Review
This pull request introduces an example of an A2A extension for message signing. The review focuses on improving usability and robustness, including addressing a local-only dependency, simplifying the SigningExtension API, and making the signing function more resilient.
| requires-python = ">=3.10" | ||
| dependencies = [ | ||
| # DO NOT SUBMIT: Local path. | ||
| "a2a-sdk @ {root:uri}/../../../../../../a2a-python", |
There was a problem hiding this comment.
The a2a-sdk dependency is configured using a local file path. To make this example more accessible, consider using a public or private package index, or provide clear instructions in the README for setting up the local dependency.
| self, client: httpx.AsyncClient, message: Message | ||
| ) -> RemoteAgent | None: | ||
| """Retrieve the verified author of a message, if the message is signed. | ||
|
|
||
| Raises an error if a signature is present but verification fails. | ||
| """ | ||
| return await get_agent_author(client, message) |
There was a problem hiding this comment.
The get_agent_author method is an async instance method that doesn't use any instance attributes (i.e., self) and just proxies to the top-level get_agent_author function. Consider removing this method and suggesting users import and call the top-level function directly for verifying signatures.
| sig_jws = jws.JWS(signing_payload) | ||
| sig_jws.add_signature( | ||
| signing_key, | ||
| protected={'alg': 'ES256'}, |
There was a problem hiding this comment.
The signing algorithm is hardcoded to ES256. To enhance robustness, consider inferring the alg from the signing_key's properties or adding a validation check to ensure the provided key is compatible with ES256.
There was a problem hiding this comment.
I actually think this would make sense to be in a top level directory called extensions (alongside samples, notebooks, demo)
Also, be sure to update to the snake_case syntax. You can use this script https://github.com/a2aproject/a2a-samples/blob/main/samples/python/refactor_camel_to_snake.sh
| requires-python = ">=3.10" | ||
| dependencies = [ | ||
| # DO NOT SUBMIT: Local path. | ||
| "a2a-sdk @ {root:uri}/../../../../../../a2a-python", |
There was a problem hiding this comment.
Can this be updated to a2a-sdk 0.3.0
| ) | ||
| ] | ||
| ), | ||
| defaultInputModes=[], |
There was a problem hiding this comment.
Be sure to change all of these to use the updated SDK syntax.
This is an example to illustrate how extensions can be defined and implemented. The example shows a few aspects of extensions that are interesting:
paramsfieldI plan to follow this up with actually using this extension in a sample agent.