Conversation
generation This change amends the `http-signature-dir` to print an error log whendirectories mistakenly sign `@authority` without the `req` parameter. It fixes a bug with the example signature agent card generation where only the host component was used to sign `@authority`, rather than the full host and port pair (i.e. the _actual_ authority component). This led to verifiers being unable to verify generated signatures. It fixes some minor comments and superfluous Github Actions changes, and does some basic refactoring to make the logic a bit more straightforward in the example. Importantly, it also adds the `alg` parameter in generated signatures - this is in line with the opinionated signing we do, whereby other elements normal to web bot auth are also enforced for arbitrary HTTP signatures.
These include some pretty significant and breaking changes: 1. Dependency on `time` library is now required instead of `std::time` for all API users. As a bonus, however, we gain support on Cloudflare Workers as well as removal of a class of errors related to system clocks and `created` / `expires` parsing. 2. A number of constructs were removed: `WebBotAuthSignedMessage`, `SignedMessage::fetch_all_signature_headers` and `SignedMessage::fetch_all_signature_inputs`. The library now exposes a single method to look up components to verify. 3. `Signature-Agent` can now be parsed as a dictionary, but retains support for being parsed as a raw string. 4. It enforces use of `req` parameter in `http-message-dir`. This is in line with the specification, but can break verification of existing sites. I also removed the pin to Rust v1.87 in the Github Actions handler. This ensures we're building against the latest available Rust version.
thibmeu
approved these changes
Dec 19, 2025
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Clone of #66 but amended to release 0.6.0 instead of 1.0.0