Skip to content

Add python example for signature validation on secret scanning notifications #18776

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 6 commits into from
Closed

Add python example for signature validation on secret scanning notifications #18776

Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
41a5533
Add python example
ckuethe Jun 22, 2022
af63607
Merge branch 'main' into patch-2
ckuethe Aug 29, 2022
d8b0660
Merge branch 'main' into patch-2
mchammer01 Sep 22, 2022
e447dc9
Merge branch 'main' into patch-2
ckuethe Oct 4, 2022
4944d86
update addressing feedback
ckuethe Oct 4, 2022
5ddab6d
Merge branch 'main' into patch-2
mchammer01 Nov 4, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
39 changes: 39 additions & 0 deletions content/developers/overview/secret-scanning-partner-program.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -363,6 +363,45 @@ const verify_signature = async (payload, signature, keyID) => {
};
```

**Validation sample in Python**

```python
# This example assumes that the public key identified by key id
# 90a421169f0a406205f1563a953312f0be898d3c7b6c06b681aa86a874555f4a
# is used to validate the message; production validators shoud be
# prepared to check the key id and and fetch updated public keys
# at runtime.

from base64 import b64decode

payload = b'[{"token":"some_token","type":"some_type","url":"some_url"}]'
signature = b"MEUCIQDKZokqnCjrRtw0tni+2Ltvl/uiMJ1EGumEsp1BsNr32AIgQY1YXD2nlj+XNfGK4rBfkMJ1JDOQcYXxa2sY8FNkrKc="
raw_sig = b64decode(signature)

public_key = "\n".join(
[
"-----BEGIN PUBLIC KEY-----",
"MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE9MJJHnMfn2+H4xL4YaPDA4RpJqUq",
"kCmRCBnYERxZanmcpzQSXs1X/AljlKkbJ8qpVIW4clayyef9gWhFbNHWAA==",
"-----END PUBLIC KEY-----",
]
)

from ecdsa import VerifyingKey, BadSignatureError, NIST256p
from ecdsa.util import sigdecode_der
from hashlib import sha256

ecdsa_verifier = VerifyingKey.from_pem(string=public_key, hashfunc=sha256)
try:
ecdsa_verifier.verify(
signature=raw_sig, data=payload, sigdecode=sigdecode_der
)
print("Message validated")
except (BadSignatureError, ValueError):
print("Message not validated")

```

### Implement secret revocation and user notification in your secret alert service

For {% data variables.product.prodname_secret_scanning %} in public repositories, you can enhance your secret alert service to revoke the exposed secrets and notify the affected users. How you implement this in your secret alert service is up to you, but we recommend considering any secrets that {% data variables.product.prodname_dotcom %} sends you messages about as public and compromised.
Expand Down