docs
docs copied to clipboard
Add python example for signature validation on secret scanning notifications
Why:
The secret scanning workflow documentation (https://docs.github.com/en/enterprise-cloud@latest/developers/overview/secret-scanning-partner-program#implement-signature-verification-in-your-secret-alert-service) doesn't have example validation in python. I found at least two other people asking about how to do this in python with no answers.
Fixes #18778
What's being changed:
Added an example of signature validation using python-ecdsa (https://github.com/tlsfuzzer/python-ecdsa)
Check off the following:
- [X] I have reviewed my changes in staging (look for "Automatically generated comment" and click Modified to view your latest changes).
- [X] For content changes, I have completed the self-review checklist.
Writer impact (This section is for GitHub staff members only):
- [ ] This pull request impacts the contribution experience
- [ ] I have added the 'writer impact' label
- [ ] I have added a description and/or a video demo of the changes below (e.g. a "before and after video")
Thanks for opening this pull request! A GitHub docs team member should be by to give feedback soon. In the meantime, please check out the contributing guidelines.
Automatically generated comment ℹ️
This comment is automatically generated and will be overwritten every time changes are committed to this branch.
The table contains an overview of files in the content
directory that have been changed in this pull request. It's provided to make it easy to review your changes on the staging site. Please note that changes to the data
directory will not show up in this table.
Content directory changes
You may find it useful to copy this table into the pull request summary. There you can edit it to share links to important articles or changes and to give a high-level overview of how the changes in your pull request support the overall goals of the pull request.
Source | Preview | Production | What Changed |
---|---|---|---|
developers/overview/secret-scanning-partner-program.md |
fpt ghec |
fpt ghec |
fpt: Free, Pro, Team ghec: GitHub Enterprise Cloud ghes: GitHub Enterprise Server ghae: GitHub AE
@ckuethe Thanks so much for opening a PR! I'll get this triaged for review ✨
Thanks for opening a pull request! We've triaged this issue for technical review by a subject matter expert :eyes:
This is a gentle bump for the docs team that this PR is waiting for technical review.
This is a gentle bump for the docs team that this PR is waiting for technical review.
Thx
Hello @janiceilene, @felicitymay, and @cmwilson21 - do you know if the appropriate folks have had a chance to look at this issue?
@ckuethe Thanks for checking in! The PR is on our board waiting for review. A writer will get eyes on it soon. 👀
Thank you for your patience as we work through our backlog 💛
Hi @ckuethe - thanks for your patience 🙏🏻
We've checked with the relevant team and we are happy to accept your contribution ✨
However, could you remove the caching of our public key, and provide one example only?
In the long term, we ideally want to link to an examples repository, which would be easier for everyone to maintain. In the mean time, we understand that examples are helpful to our users, but we don't want to have too many of these (maintainability issue).
Thanks in advance for your understanding. I am happy to review your PR once you've made these changes 😃
Hello @mchammer01 - Updated to address your feedback. Let me know if there are other changes you'd like.
Thank you @ckuethe - I've asked one of the team for a final technical review. Thanks for your patience 🙂 🙏🏻
@marzvrover - would you mind reviewing this from a technical perspective? (As a member of the Docs team, I did an editorial review, and this LGTM). Thanks in advance for your help with this 🙇🏻 😃
Assuming you have python-ecdsa installed, you should be able to simply paste the example into a python 3 interpreter. I'm a fan of examples that have cut-paste-and-do-what-i-mean functionality :)
Hello @mchammer01 @marzvrover - anything else you would like me to update in this example? I just updated the comment to accurately reflect that this PR now contains only a single implementation of validation using python-ecdsa
@marzvrover - gentle bump on the request above 💜
@marzvrover Can I push back on that request? I'd like this example to be completely standalone.
For the purposes of this demonstration it's not important exactly how the key gets into memory, it's not important how the message to be validated to gets into memory. What is important is that we have a message, a public key, and a simple example of using that key to determine message validity.
Fetching the key from the API would require additional logic to handle signing key changes by checking the key ID, and
@ckuethe it helps enforce the best practice of pulling in our active keys rather than relying on a local copy. This would keep the Python sample inline with our Go, Ruby, and JavaScript samples.
@ckuethe - can you follow @marzvrover's recommendation above for consistency? I am happy to merge this once you remove the hardcoded public key.
@ckuethe Just checking in again on this one. Have you had a chance to consider the recommendation above?
👋 Just checking in. It looks like it's been a while since anything was updated on this one. I'm going to go ahead and close it now, but feel free to ping me or reopen if you'd like to resume work on it. 💛
Hi @ckuethe, I just wanted to let you know that we used your contributions and added you as coauthor for the commit https://github.com/github-technology-partners/signature-verification/commit/85ca4c59b2223ab2461181d94d021ff65f612e0f.
Hey baby girl what are you doing today
On Tue, Mar 5, 2024 at 2:30 PM marz @.***> wrote:
Hi @ckuethe https://github.com/ckuethe, I just wanted to let you know that we used your contributions and added you as coauthor for the commit @.*** https://github.com/github-technology-partners/signature-verification/commit/85ca4c59b2223ab2461181d94d021ff65f612e0f .
— Reply to this email directly, view it on GitHub https://github.com/github/docs/pull/18776#issuecomment-1979746671, or unsubscribe https://github.com/notifications/unsubscribe-auth/AWGTV2O2CKZ65NNW5MXMRBTYWZBRFAVCNFSM5ZSAPQ62U5DIOJSWCZC7NNSXTN2JONZXKZKDN5WW2ZLOOQ5TCOJXHE3TINRWG4YQ . You are receiving this because you are subscribed to this thread.Message ID: @.***>