Skip to content

Commit 148d9c0

Browse files
LeechaelLeechael
committed
docs(sdk/python): fix README review feedback from Copilot
- Add signer comparison step to verify_env_encrypt_public_key example so users compare the recovered signer against a known KMS address instead of only checking for None - Move version() from 0.5.0+ to 0.5.7+ in compatibility table to match the code and docstring (Version RPC was introduced in 0.5.7)
1 parent 84006de commit 148d9c0

1 file changed

Lines changed: 13 additions & 2 deletions

File tree

sdk/python/README.md

Lines changed: 13 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -282,6 +282,17 @@ if signer is None:
282282
if signer is None:
283283
raise RuntimeError('invalid KMS env-encrypt public key')
284284

285+
# Always compare the recovered signer against a known-good KMS signer
286+
# address, obtained out-of-band from the DstackKms contract or your
287+
# deployment configuration. Without this check, an attacker could sign
288+
# their own env-encrypt key and the verification above would still pass.
289+
EXPECTED_KMS_SIGNER = '0x...' # replace with your known KMS signer address
290+
if signer != EXPECTED_KMS_SIGNER:
291+
raise RuntimeError(
292+
f'unexpected KMS signer: got {signer}, '
293+
f'expected {EXPECTED_KMS_SIGNER}'
294+
)
295+
285296
env_vars = [
286297
EnvVar(key='DATABASE_URL', value='postgresql://...'),
287298
EnvVar(key='API_KEY', value='secret'),
@@ -308,8 +319,8 @@ hash_value = get_compose_hash(app_compose_dict)
308319
|---|---|
309320
| `get_key`, `get_quote`, `get_tls_key` (legacy fields), `info` (legacy fields) | 0.3+ |
310321
| `emit_event` | 0.5.0+ |
311-
| `attest`, `sign` / `verify`, `version`, `is_reachable` | 0.5.0+ (sign/verify require server build with the feature) |
312-
| `algorithm='ed25519'` on `get_key`, `info.cloud_vendor` / `cloud_product`, `not_before` / `not_after` / `with_app_info` on `get_tls_key` | 0.5.7+ |
322+
| `attest`, `sign` / `verify`, `is_reachable` | 0.5.0+ (sign/verify require server build with the feature) |
323+
| `version`, `algorithm='ed25519'` on `get_key`, `info.cloud_vendor` / `cloud_product`, `not_before` / `not_after` / `with_app_info` on `get_tls_key` | 0.5.7+ |
313324
| `verify_env_encrypt_public_key` (signature_v1 with timestamp) | Requires KMS build that emits `signature_v1`; legacy variant remains available |
314325

315326
Calls that require 0.5.7-only fields probe the `Version` RPC first and raise a clear `RuntimeError` on older guest agents.

0 commit comments

Comments
 (0)