feat: Implement Agent Card Signing and Verification per Spec

[sokoliva]

This PR introduces digital signatures for Agent Cards to ensure authenticity and integrity, adhering to the A2A specification for Agent Card Signing (Section 8.4).

Changes:

• Implement Canonicalization Logic (src/a2a/utils/signing.py)
• Add Signing and Verification Utilities (src/a2a/utils/signing.py):
  • create_agent_card_signer which generates an agent_card_signer for signing AgentCards
  • create_signature_verifier which generates a signature_verifier for verification of AgentCard signatures
• Enable signature verification support for json-rpc, rest and gRPC transports
• Add Protobuf Conversion for Signatures (src/a2a/utils/proto_utils.py) ensuring AgentCardSignature can be serialized and deserialized for gRPC transport
• Add related tests:
  • integration tests for fetching signed cards from the Server
  • unit tests for signing util
  • unit tests for protobuf conversions

Release-As: 0.3.21

• Follow the CONTRIBUTING Guide.
• Make your Pull Request title in the https://www.conventionalcommits.org/ specification.
  • Important Prefixes for release-please:
    • fix: which represents bug fixes, and correlates to a SemVer patch.
    • feat: represents a new feature, and correlates to a SemVer minor.
    • feat!:, or fix!:, refactor!:, etc., which represent a breaking change (indicated by the !) and will result in a SemVer major.
• Ensure the tests and linter pass (Run bash scripts/format.sh from the repository root to format)
• Appropriate docs were updated (if necessary)

[gemini-code-assist]

Summary of Changes

Hello @sokoliva, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request implements digital signature capabilities for Agent Cards, aligning with the A2A specification to enhance the authenticity and integrity of card data. It introduces core utilities for signing and verification, integrates these checks into existing client transports, and ensures proper serialization for gRPC communication, all backed by new test coverage.

Highlights

• Agent Card Signing and Verification Utilities: Introduced create_agent_card_signer and create_signature_verifier functions in src/a2a/utils/signing.py to handle digital signatures for Agent Cards, ensuring their authenticity and integrity.
• Canonicalization Logic: Implemented canonicalize_agent_card in src/a2a/utils/signing.py to standardize Agent Card JSON payloads before signing, adhering to RFC 8785 (JCS).
• Transport Layer Integration: Enabled signature verification support across JSON-RPC, REST, and gRPC client transports by modifying their get_card methods to accept and utilize a signature_verifier callable.
• Protobuf Conversion for Signatures: Added new methods in src/a2a/utils/proto_utils.py for converting AgentCardSignature objects to and from Protobuf messages, facilitating gRPC transport of signed cards.
• Comprehensive Testing: Included new integration tests to validate fetching and verifying signed Agent Cards from the server across all supported transports, as well as unit tests for the new signing utilities and protobuf conversions.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces AgentCard signature verification functionality across various client transports (JSON-RPC, REST, gRPC). Key changes include adding python-jose as a dependency, implementing create_agent_card_signer and create_signature_verifier utilities, and extending get_card methods in BaseClient and transport classes to accept an optional signature_verifier callable. The proto_utils module was updated to handle AgentCardSignature conversion to and from protobuf. New integration and unit tests were added to validate symmetric and asymmetric signing and verification processes, as well as JSON Canonicalization Scheme (JCS) for AgentCards. Review comments highlight the need to add an algorithms parameter to create_signature_verifier for security against algorithm confusion attacks, update its docstring, correct a docstring in base_client.py regarding the signature_verifier parameter, and fix a type inconsistency in a test fixture where signatures was assigned a tuple instead of a list.