From 25cafdcf7be6c63a552231cb46ed33ab632d707c Mon Sep 17 00:00:00 2001 From: nweisenauer <137267159+nweisenauer-sap@users.noreply.github.com> Date: Thu, 15 Jan 2026 20:23:53 +0100 Subject: [PATCH 1/3] Adds 'agent_version' to PostStatus request (#86) * PostStatus posts agent status including the agent version Signed-off-by: Nico Weisenauer <137267159+nweisenauer-sap@users.noreply.github.com> * makes agent_version a string (from *string) Signed-off-by: Nico Weisenauer <137267159+nweisenauer-sap@users.noreply.github.com> --------- Signed-off-by: Nico Weisenauer <137267159+nweisenauer-sap@users.noreply.github.com> Signed-off-by: Marcos Yacob --- .gitignore | 1 + proto/spire/api/server/agent/v1/agent.pb.go | 18 ++++++++++--- proto/spire/api/server/agent/v1/agent.proto | 3 +++ proto/spire/api/types/agent.pb.go | 30 +++++++++++++++++---- proto/spire/api/types/agent.proto | 6 +++++ 5 files changed, 49 insertions(+), 9 deletions(-) diff --git a/.gitignore b/.gitignore index 86b3eeb..e6d3b6a 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,3 @@ .build *.swp +.vscode diff --git a/proto/spire/api/server/agent/v1/agent.pb.go b/proto/spire/api/server/agent/v1/agent.pb.go index 3c2b5a8..56a91fe 100644 --- a/proto/spire/api/server/agent/v1/agent.pb.go +++ b/proto/spire/api/server/agent/v1/agent.pb.go @@ -765,8 +765,10 @@ type PostStatusRequest struct { state protoimpl.MessageState `protogen:"open.v1"` // Required. Serial number of the bundle currently being served by the agent CurrentBundleSerial uint64 `protobuf:"varint,1,opt,name=current_bundle_serial,json=currentBundleSerial,proto3" json:"current_bundle_serial,omitempty"` - unknownFields protoimpl.UnknownFields - sizeCache protoimpl.SizeCache + // Optional. The version of the agent. + AgentVersion string `protobuf:"bytes,2,opt,name=agent_version,json=agentVersion,proto3" json:"agent_version,omitempty"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache } func (x *PostStatusRequest) Reset() { @@ -806,6 +808,13 @@ func (x *PostStatusRequest) GetCurrentBundleSerial() uint64 { return 0 } +func (x *PostStatusRequest) GetAgentVersion() string { + if x != nil { + return x.AgentVersion + } + return "" +} + type PostStatusResponse struct { state protoimpl.MessageState `protogen:"open.v1"` unknownFields protoimpl.UnknownFields @@ -1174,9 +1183,10 @@ const file_spire_api_server_agent_v1_agent_proto_rawDesc = "" + "\x05token\x18\x02 \x01(\tR\x05token\x124\n" + "\bagent_id\x18\x03 \x01(\v2\x19.spire.api.types.SPIFFEIDR\aagentId\"'\n" + "\x13AgentX509SVIDParams\x12\x10\n" + - "\x03csr\x18\x01 \x01(\fR\x03csr\"G\n" + + "\x03csr\x18\x01 \x01(\fR\x03csr\"l\n" + "\x11PostStatusRequest\x122\n" + - "\x15current_bundle_serial\x18\x01 \x01(\x04R\x13currentBundleSerial\"\x14\n" + + "\x15current_bundle_serial\x18\x01 \x01(\x04R\x13currentBundleSerial\x12#\n" + + "\ragent_version\x18\x02 \x01(\tR\fagentVersion\"\x14\n" + "\x12PostStatusResponse2\x80\a\n" + "\x05Agent\x12l\n" + "\vCountAgents\x12-.spire.api.server.agent.v1.CountAgentsRequest\x1a..spire.api.server.agent.v1.CountAgentsResponse\x12i\n" + diff --git a/proto/spire/api/server/agent/v1/agent.proto b/proto/spire/api/server/agent/v1/agent.proto index 1679819..82a20ad 100644 --- a/proto/spire/api/server/agent/v1/agent.proto +++ b/proto/spire/api/server/agent/v1/agent.proto @@ -226,6 +226,9 @@ message AgentX509SVIDParams { message PostStatusRequest { // Required. Serial number of the bundle currently being served by the agent uint64 current_bundle_serial = 1; + + // Optional. The version of the agent. + string agent_version = 2; } message PostStatusResponse { diff --git a/proto/spire/api/types/agent.pb.go b/proto/spire/api/types/agent.pb.go index 3c90915..4e91360 100644 --- a/proto/spire/api/types/agent.pb.go +++ b/proto/spire/api/types/agent.pb.go @@ -37,7 +37,9 @@ type Agent struct { // Output only. Whether or not the agent is banned. Banned bool `protobuf:"varint,6,opt,name=banned,proto3" json:"banned,omitempty"` // Output only. Whether or not the agent can re-attest. - CanReattest bool `protobuf:"varint,7,opt,name=can_reattest,json=canReattest,proto3" json:"can_reattest,omitempty"` + CanReattest bool `protobuf:"varint,7,opt,name=can_reattest,json=canReattest,proto3" json:"can_reattest,omitempty"` + // Output only. Optional. The version of the agent. + AgentVersion string `protobuf:"bytes,8,opt,name=agent_version,json=agentVersion,proto3" json:"agent_version,omitempty"` unknownFields protoimpl.UnknownFields sizeCache protoimpl.SizeCache } @@ -121,6 +123,13 @@ func (x *Agent) GetCanReattest() bool { return false } +func (x *Agent) GetAgentVersion() string { + if x != nil { + return x.AgentVersion + } + return "" +} + type AgentMask struct { state protoimpl.MessageState `protogen:"open.v1"` // attestation_type field mask @@ -134,7 +143,9 @@ type AgentMask struct { // banned field mask Banned bool `protobuf:"varint,6,opt,name=banned,proto3" json:"banned,omitempty"` // can_reattest field mask - CanReattest bool `protobuf:"varint,7,opt,name=can_reattest,json=canReattest,proto3" json:"can_reattest,omitempty"` + CanReattest bool `protobuf:"varint,7,opt,name=can_reattest,json=canReattest,proto3" json:"can_reattest,omitempty"` + // agent_version field mask + AgentVersion bool `protobuf:"varint,8,opt,name=agent_version,json=agentVersion,proto3" json:"agent_version,omitempty"` unknownFields protoimpl.UnknownFields sizeCache protoimpl.SizeCache } @@ -211,11 +222,18 @@ func (x *AgentMask) GetCanReattest() bool { return false } +func (x *AgentMask) GetAgentVersion() bool { + if x != nil { + return x.AgentVersion + } + return false +} + var File_spire_api_types_agent_proto protoreflect.FileDescriptor const file_spire_api_types_agent_proto_rawDesc = "" + "\n" + - "\x1bspire/api/types/agent.proto\x12\x0fspire.api.types\x1a\x1espire/api/types/selector.proto\x1a\x1espire/api/types/spiffeid.proto\x1a\x1egoogle/protobuf/wrappers.proto\"\xb7\x02\n" + + "\x1bspire/api/types/agent.proto\x12\x0fspire.api.types\x1a\x1espire/api/types/selector.proto\x1a\x1espire/api/types/spiffeid.proto\x1a\x1egoogle/protobuf/wrappers.proto\"\xdc\x02\n" + "\x05Agent\x12)\n" + "\x02id\x18\x01 \x01(\v2\x19.spire.api.types.SPIFFEIDR\x02id\x12)\n" + "\x10attestation_type\x18\x02 \x01(\tR\x0fattestationType\x124\n" + @@ -223,14 +241,16 @@ const file_spire_api_types_agent_proto_rawDesc = "" + "\x13x509svid_expires_at\x18\x04 \x01(\x03R\x11x509svidExpiresAt\x127\n" + "\tselectors\x18\x05 \x03(\v2\x19.spire.api.types.SelectorR\tselectors\x12\x16\n" + "\x06banned\x18\x06 \x01(\bR\x06banned\x12!\n" + - "\fcan_reattest\x18\a \x01(\bR\vcanReattest\"\xf5\x01\n" + + "\fcan_reattest\x18\a \x01(\bR\vcanReattest\x12#\n" + + "\ragent_version\x18\b \x01(\tR\fagentVersion\"\x9a\x02\n" + "\tAgentMask\x12)\n" + "\x10attestation_type\x18\x02 \x01(\bR\x0fattestationType\x124\n" + "\x16x509svid_serial_number\x18\x03 \x01(\bR\x14x509svidSerialNumber\x12.\n" + "\x13x509svid_expires_at\x18\x04 \x01(\bR\x11x509svidExpiresAt\x12\x1c\n" + "\tselectors\x18\x05 \x01(\bR\tselectors\x12\x16\n" + "\x06banned\x18\x06 \x01(\bR\x06banned\x12!\n" + - "\fcan_reattest\x18\a \x01(\bR\vcanReattestB7Z5github.com/spiffe/spire-api-sdk/proto/spire/api/typesb\x06proto3" + "\fcan_reattest\x18\a \x01(\bR\vcanReattest\x12#\n" + + "\ragent_version\x18\b \x01(\bR\fagentVersionB7Z5github.com/spiffe/spire-api-sdk/proto/spire/api/typesb\x06proto3" var ( file_spire_api_types_agent_proto_rawDescOnce sync.Once diff --git a/proto/spire/api/types/agent.proto b/proto/spire/api/types/agent.proto index 5d96ef8..f9e8628 100644 --- a/proto/spire/api/types/agent.proto +++ b/proto/spire/api/types/agent.proto @@ -27,6 +27,9 @@ message Agent { // Output only. Whether or not the agent can re-attest. bool can_reattest = 7; + + // Output only. Optional. The version of the agent. + string agent_version = 8; } message AgentMask { @@ -47,4 +50,7 @@ message AgentMask { // can_reattest field mask bool can_reattest = 7; + + // agent_version field mask + bool agent_version = 8; } From d78e40279c5516edbbcefedb6bba3a40e770dd94 Mon Sep 17 00:00:00 2001 From: Sorin Dumitru Date: Thu, 15 Jan 2026 19:47:54 +0000 Subject: [PATCH 2/3] Add a signing algorithm to the WIT signing requests (#87) Signed-off-by: Sorin Dumitru Signed-off-by: Marcos Yacob --- proto/spire/api/server/svid/v1/svid.pb.go | 42 +++++++++++++++++------ proto/spire/api/server/svid/v1/svid.proto | 8 +++++ 2 files changed, 40 insertions(+), 10 deletions(-) diff --git a/proto/spire/api/server/svid/v1/svid.pb.go b/proto/spire/api/server/svid/v1/svid.pb.go index ce5d859..3e6fa65 100644 --- a/proto/spire/api/server/svid/v1/svid.pb.go +++ b/proto/spire/api/server/svid/v1/svid.pb.go @@ -136,9 +136,12 @@ type MintWITSVIDRequest struct { // if unset. The TTL is advisory only. The actual lifetime of the WIT-SVID // may be lower depending on the remaining lifetime of the active SPIRE // Server CA. - Ttl int32 `protobuf:"varint,3,opt,name=ttl,proto3" json:"ttl,omitempty"` - unknownFields protoimpl.UnknownFields - sizeCache protoimpl.SizeCache + Ttl int32 `protobuf:"varint,3,opt,name=ttl,proto3" json:"ttl,omitempty"` + // Required. The signing algorithm to specify in the key. This must be one + // of the values supported by the WIT-SVID specification. + SigningAlgorithm string `protobuf:"bytes,4,opt,name=signing_algorithm,json=signingAlgorithm,proto3" json:"signing_algorithm,omitempty"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache } func (x *MintWITSVIDRequest) Reset() { @@ -192,6 +195,13 @@ func (x *MintWITSVIDRequest) GetTtl() int32 { return 0 } +func (x *MintWITSVIDRequest) GetSigningAlgorithm() string { + if x != nil { + return x.SigningAlgorithm + } + return "" +} + type MintWITSVIDResponse struct { state protoimpl.MessageState `protogen:"open.v1"` // The newly issued WIT-SVID. @@ -806,9 +816,12 @@ type NewWITSVIDParams struct { // Required. The entry ID for the identity being requested. EntryId string `protobuf:"bytes,1,opt,name=entry_id,json=entryId,proto3" json:"entry_id,omitempty"` // Required. The ASN.1 DER encoded public key. - PublicKey []byte `protobuf:"bytes,2,opt,name=public_key,json=publicKey,proto3" json:"public_key,omitempty"` - unknownFields protoimpl.UnknownFields - sizeCache protoimpl.SizeCache + PublicKey []byte `protobuf:"bytes,2,opt,name=public_key,json=publicKey,proto3" json:"public_key,omitempty"` + // Required. The signing algorithm to specify in the key. This must be one + // of the values supported by the WIT-SVID specification. + SigningAlgorithm string `protobuf:"bytes,3,opt,name=signing_algorithm,json=signingAlgorithm,proto3" json:"signing_algorithm,omitempty"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache } func (x *NewWITSVIDParams) Reset() { @@ -855,6 +868,13 @@ func (x *NewWITSVIDParams) GetPublicKey() []byte { return nil } +func (x *NewWITSVIDParams) GetSigningAlgorithm() string { + if x != nil { + return x.SigningAlgorithm + } + return "" +} + type BatchNewX509SVIDResponse_Result struct { state protoimpl.MessageState `protogen:"open.v1"` // The status of creating the X509-SVID. @@ -972,12 +992,13 @@ const file_spire_api_server_svid_v1_svid_proto_rawDesc = "" + "\x03csr\x18\x01 \x01(\fR\x03csr\x12\x10\n" + "\x03ttl\x18\x02 \x01(\x05R\x03ttl\"E\n" + "\x14MintX509SVIDResponse\x12-\n" + - "\x04svid\x18\x01 \x01(\v2\x19.spire.api.types.X509SVIDR\x04svid\"p\n" + + "\x04svid\x18\x01 \x01(\v2\x19.spire.api.types.X509SVIDR\x04svid\"\x9d\x01\n" + "\x12MintWITSVIDRequest\x12)\n" + "\x02id\x18\x01 \x01(\v2\x19.spire.api.types.SPIFFEIDR\x02id\x12\x1d\n" + "\n" + "public_key\x18\x02 \x01(\fR\tpublicKey\x12\x10\n" + - "\x03ttl\x18\x03 \x01(\x05R\x03ttl\"C\n" + + "\x03ttl\x18\x03 \x01(\x05R\x03ttl\x12+\n" + + "\x11signing_algorithm\x18\x04 \x01(\tR\x10signingAlgorithm\"C\n" + "\x13MintWITSVIDResponse\x12,\n" + "\x04svid\x18\x01 \x01(\v2\x18.spire.api.types.WITSVIDR\x04svid\"m\n" + "\x12MintJWTSVIDRequest\x12)\n" + @@ -1013,11 +1034,12 @@ const file_spire_api_server_svid_v1_svid_proto_rawDesc = "" + "\x10x509_authorities\x18\x02 \x03(\fR\x0fx509Authorities\"@\n" + "\x11NewX509SVIDParams\x12\x19\n" + "\bentry_id\x18\x01 \x01(\tR\aentryId\x12\x10\n" + - "\x03csr\x18\x02 \x01(\fR\x03csr\"L\n" + + "\x03csr\x18\x02 \x01(\fR\x03csr\"y\n" + "\x10NewWITSVIDParams\x12\x19\n" + "\bentry_id\x18\x01 \x01(\tR\aentryId\x12\x1d\n" + "\n" + - "public_key\x18\x02 \x01(\fR\tpublicKey2\xae\x06\n" + + "public_key\x18\x02 \x01(\fR\tpublicKey\x12+\n" + + "\x11signing_algorithm\x18\x03 \x01(\tR\x10signingAlgorithm2\xae\x06\n" + "\x04SVID\x12m\n" + "\fMintX509SVID\x12-.spire.api.server.svid.v1.MintX509SVIDRequest\x1a..spire.api.server.svid.v1.MintX509SVIDResponse\x12j\n" + "\vMintJWTSVID\x12,.spire.api.server.svid.v1.MintJWTSVIDRequest\x1a-.spire.api.server.svid.v1.MintJWTSVIDResponse\x12j\n" + diff --git a/proto/spire/api/server/svid/v1/svid.proto b/proto/spire/api/server/svid/v1/svid.proto index bad5589..54a20a8 100644 --- a/proto/spire/api/server/svid/v1/svid.proto +++ b/proto/spire/api/server/svid/v1/svid.proto @@ -82,6 +82,10 @@ message MintWITSVIDRequest { // may be lower depending on the remaining lifetime of the active SPIRE // Server CA. int32 ttl = 3; + + // Required. The signing algorithm to specify in the key. This must be one + // of the values supported by the WIT-SVID specification. + string signing_algorithm = 4; } message MintWITSVIDResponse { @@ -200,4 +204,8 @@ message NewWITSVIDParams { // Required. The ASN.1 DER encoded public key. bytes public_key = 2; + + // Required. The signing algorithm to specify in the key. This must be one + // of the values supported by the WIT-SVID specification. + string signing_algorithm = 3; } From 999eb484f8140e2bcd4a0debd328e40a35b67354 Mon Sep 17 00:00:00 2001 From: Sorin Dumitru Date: Wed, 21 Jan 2026 13:43:22 +0000 Subject: [PATCH 3/3] Use go.dev/dl for downloading go (#83) Signed-off-by: Sorin Dumitru Signed-off-by: Marcos Yacob --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index ee22b31..37c4692 100644 --- a/Makefile +++ b/Makefile @@ -83,7 +83,7 @@ go_version_full := $(shell cat .go-version) go_version := $(go_version_full:.0=.0) go_dir := $(build_dir)/go/$(go_version) go_bin_dir := $(go_dir)/bin -go_url = https://storage.googleapis.com/golang/go$(go_version).$(os1)-$(arch2).tar.gz +go_url = https://go.dev/dl/golang/go$(go_version).$(os1)-$(arch2).tar.gz go_path := PATH="$(go_bin_dir):$(PATH)" # go-check checks to see if there is a version of Go available matching the