feat(sec-core): harden skill signing pipeline and add .skill-meta layout#129
Open
1570005763 wants to merge 1 commit intomainfrom
Open
feat(sec-core): harden skill signing pipeline and add .skill-meta layout#1291570005763 wants to merge 1 commit intomainfrom
1570005763 wants to merge 1 commit intomainfrom
Conversation
|
|
1570005763
force-pushed
the
feat-add-skill-sign-guide
branch
from
0d6ea99 to
138134f
Compare
edonyzpc
reviewed
Apr 8, 2026
edonyzpc
reviewed
Apr 8, 2026
1570005763
force-pushed
the
feat-add-skill-sign-guide
branch
2 times, most recently
from
d0ebf53 to
3516604
Compare
- Harden GPG key import: save/restore shell options precisely, resolve imported key fingerprint via before/after diff (comm -13) - Support cross-distro gpg/gpg2 binary resolution (Alinux compat) - Move signing artifacts (Manifest.json, .skill.sig) into .skill-meta/ hidden directory for extensibility (versioning, permissions tracking) - Make --batch directory optional (default: ~/.copilot-shell/skills/) - Auto-register batch-signed directory in config.conf before signing to maintain manifest hash integrity for agent-sec-core - Add comprehensive e2e test suite (15 tests) covering sign + verify - Add SIGNING_GUIDE.md / SIGNING_GUIDE_CN.md documentation - Update READMEs, error messages, and integration tests Signed-off-by: 1570005763 <daniel.duan@linux.alibaba.com>
1570005763
force-pushed
the
feat-add-skill-sign-guide
branch
from
3516604 to
663461f
Compare
Collaborator
|
LGTM. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Harden the
sign-skill.shsigning pipeline for reliability and cross-distro compatibility, and reorganise signing artifacts into a.skill-meta/hidden directory for extensibility (versioning, permissions tracking). Key changes include precise GPG fingerprint resolution via before/after diff, gpg/gpg2 binary auto-detection for RHEL/Anolis/Alinux, batch-mode auto-registration inconfig.conf, and new--init/--export-key/--checkconvenience modes. Adds comprehensive SIGNING_GUIDE documentation (EN + CN) and a 15-case e2e test suite covering the full sign + verify workflow.Related Issue
no-issue: hardening and documentation for existing skill-signing feature
Type of Change
Scope
sec-core(agent-sec-core)Checklist
sec-core(Python): Ruff format and pytest passTesting
Additional Notes
.skill-meta/— the verifier has been updated accordingly, so this is backward-compatible for fresh deployments.--batchmode now defaults to~/.copilot-shell/skills/when no directory is given.--initmode provides a zero-config quick-start for self-deployment scenarios.