feat: Add signatures to the AgentCard#917
Conversation
There was a problem hiding this comment.
Summary of Changes
Hello @mikeas1, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!
This pull request implements a new feature that enhances the AgentCard by adding support for digital signatures. This allows for the verification of the AgentCard's integrity using JSON Web Signatures (JWS), providing a mechanism to ensure the card's authenticity and prevent tampering. The changes involve updating the core data structures and documentation across various specification files to accommodate this new capability.
Highlights
- AgentCard Signatures: Introduced a new
signaturesfield to theAgentCarddata structure. This field will contain JSON Web Signatures (JWS) formatted signatures, enabling integrity verification of the AgentCard. - Specification Updates: The
docs/specification.mdhas been updated to include a new section (5.5.6) detailing theAgentCardSignatureobject and an example of how thesignaturesarray will appear in a sample Agent Card (5.6). - Schema Definitions: Formal definitions for the
AgentCardSignaturetype and its inclusion within theAgentCardhave been added acrossspecification/grpc/a2a.proto,specification/json/a2a.json, andtypes/src/types.ts, ensuring consistent data modeling for JWS signatures.
Using Gemini Code Assist
The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.
Invoking Gemini
You can request assistance from Gemini at any point in your pull request via creating an issue comment (i.e. comment on the pull request page) using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands.
| Feature | Command | Description |
|---|---|---|
| Code Review | /gemini review |
Performs a code review for the current pull request in its current state. |
| Pull Request Summary | /gemini summary |
Provides a summary of the current pull request in its current state. |
| Comment | @gemini-code-assist | Responds in comments when explicitly tagged, both in issue comments and review comments. |
| Help | /gemini help |
Displays a list of available commands. |
Customization
To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.
Limitations & Feedback
Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments or fill out our survey to provide feedback.
You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.
Footnotes
-
Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩
There was a problem hiding this comment.
Code Review
This pull request introduces a signatures field to the AgentCard to support JWS signatures for verifying the card's integrity. The changes span across documentation, protobuf definitions, JSON schema, and TypeScript types, ensuring consistency for the new feature.
The implementation looks solid, but I've found one critical issue in the protobuf definition where a duplicate field tag is used, which will prevent compilation. I've left a specific comment with a suggestion to fix it. Otherwise, the changes are well-implemented.
|
/gemini review |
There was a problem hiding this comment.
Code Review
This pull request introduces a signatures field to the AgentCard to support JWS-formatted signatures, enhancing the security and integrity verification of agent metadata. The changes are consistently applied across the specification documents, Protobuf definitions, JSON schema, and TypeScript types. I have added comments to improve the Protobuf definition by enforcing required fields.
|
/gemini review |
There was a problem hiding this comment.
Code Review
This pull request introduces a signatures field to the AgentCard to support JWS-formatted signatures, enhancing the security and integrity verification of agent metadata. The changes are consistently applied across the specification documents, protobuf definitions, JSON schema, and TypeScript types.
My review identified a minor but important clarification needed in the comments and descriptions across multiple files: specifying Base64url encoding for JWS components instead of the more generic "Base64", to align precisely with RFC 7515. This will prevent potential ambiguity for implementers.
Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
|
/gemini review |
There was a problem hiding this comment.
Code Review
This pull request introduces a signatures field to the AgentCard to support JWS-based signatures for verifying the integrity and authenticity of the card. The changes are consistently applied across the specification documents, gRPC definitions, JSON schema, and TypeScript types. The implementation correctly models the Flattened JWS JSON Serialization format. I've provided a couple of suggestions to improve the clarity and technical precision of the documentation, which is important for a specification.
🤖 I have created a release *beep* *boop* --- ## [0.3.0](v0.2.6...v0.3.0) (2025-07-30) ### ⚠ BREAKING CHANGES * Add mTLS to SecuritySchemes, add oauth2 metadata url field, allow Skills to specify Security ([#901](#901)) * Change Well-Known URI for Agent Card hosting from `agent.json` to `agent-card.json` ([#841](#841)) * Add method for fetching extended card ([#929](#929)) ### Features * Add `signatures` to the `AgentCard` ([#917](#917)) ([ef4a305](ef4a305)) * Add method for fetching extended card ([#929](#929)) ([2cd7d98](2cd7d98)) * Add mTLS to SecuritySchemes, add oauth2 metadata url field, allow Skills to specify Security ([#901](#901)) ([e162c0c](e162c0c)) ### Bug Fixes * **spec:** Add `SendMessageRequest.request` `json_name` mapping to `message` ([#904](#904)) ([2eef3f6](2eef3f6)) * **spec:** Add Transport enum to specification ([#909](#909)) ([e834347](e834347)) ### Code Refactoring * Change Well-Known URI for Agent Card hosting from `agent.json` to `agent-card.json` ([#841](#841)) ([0858ddb](0858ddb)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com>
🤖 I have created a release *beep* *boop* --- ## [0.3.0](a2aproject/A2A@v0.2.6...v0.3.0) (2025-07-30) ### ⚠ BREAKING CHANGES * Add mTLS to SecuritySchemes, add oauth2 metadata url field, allow Skills to specify Security ([#901](a2aproject/A2A#901)) * Change Well-Known URI for Agent Card hosting from `agent.json` to `agent-card.json` ([#841](a2aproject/A2A#841)) * Add method for fetching extended card ([#929](a2aproject/A2A#929)) ### Features * Add `signatures` to the `AgentCard` ([#917](a2aproject/A2A#917)) ([e799342](a2aproject/A2A@e799342)) * Add method for fetching extended card ([#929](a2aproject/A2A#929)) ([ae89f89](a2aproject/A2A@ae89f89)) * Add mTLS to SecuritySchemes, add oauth2 metadata url field, allow Skills to specify Security ([#901](a2aproject/A2A#901)) ([a5c881e](a2aproject/A2A@a5c881e)) ### Bug Fixes * **spec:** Add `SendMessageRequest.request` `json_name` mapping to `message` ([#904](a2aproject/A2A#904)) ([273a1f1](a2aproject/A2A@273a1f1)) * **spec:** Add Transport enum to specification ([#909](a2aproject/A2A#909)) ([3076ae6](a2aproject/A2A@3076ae6)) ### Code Refactoring * Change Well-Known URI for Agent Card hosting from `agent.json` to `agent-card.json` ([#841](a2aproject/A2A#841)) ([c20c28b](a2aproject/A2A@c20c28b)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com>
Description
This introduces a
signaturesfield on the AgentCard that contains JWS formatted signatures. See issue #916 and discussion #199 for further details, including how signatures are constructed and verified.Fixes #916 🦕