Add signature package for signing events and verifying signatures #91
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
magnusbaeck
added
enhancement
The new package basically contains two types, Signer and Verifier, which, unsurprisingly, sign events and verifies signatures of existing events. Signer instances are configured with an identity and a private key and signs events into byte slices. Verifier instance require you to pass something that implements the PublicKeyLocator interface. That interface looks up which public key(s) can be used to verify the signature of an event with a given meta.security.authorIdentity. Because public key lookups are expected to be application-dependent we don't include a type that implements PublicKeyLocator, but that might change over time once we understand typical usage patterns. Since we wanted to use the errors.Join function, introduced in Go 1.20, we stepped the Go version requirement in go.mod to 1.21. That's the currently oldest supported version so it's a totally reasonable requirement. The compiler upgrade triggered a new linter violation because of the deprecation of strings.Title in Go 1.18, so we had to address that too.
JonasAlfredsson
approved these changes
Jun 25, 2024
t-persson
approved these changes
Jun 25, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Applicable Issues
#9
Description of the Change
The new package basically contains two types, Signer and Verifier, which, unsurprisingly, sign events and verifies signatures of existing events.
Signer instances are configured with an identity and a private key and signs events into byte slices. Verifier instance require you to pass something that implements the PublicKeyLocator interface. That interface looks up which public key(s) can be used to verify the signature of an event with a given meta.security.authorIdentity. Because public key lookups are expected to be application-dependent we don't include a type that implements PublicKeyLocator, but that might change over time once we understand typical usage patterns.
Alternate Designs
None.
Possible Drawbacks
None. Event signing is optional and we're not adding complexity or anything to code that doesn't deal with signatures.
Sign-off
Developer's Certificate of Origin 1.1
By making a contribution to this project, I certify that:
(a) The contribution was created in whole or in part by me and I have the right to submit it under the open source license indicated in the file; or
(b) The contribution is based upon previous work that, to the best of my knowledge, is covered under an appropriate open source license and I have the right under that license to submit that work with modifications, whether created in whole or in part by me, under the same open source license (unless I am permitted to submit under a different license), as indicated in the file; or
(c) The contribution was provided directly to me by some other person who certified (a), (b) or (c) and I have not modified it.
(d) I understand and agree that this project and the contribution are public and that a record of the contribution (including all personal information I submit with it, including my sign-off) is maintained indefinitely and may be redistributed consistent with this project or the open source license(s) involved.
Signed-off-by: Magnus Bäck <[email protected]>