Conversation
…ard-compat Aligns with adcp-go and adcp-client (TS) — all three SDKs now accept release.yml signatures from refs/heads/* OR refs/tags/*. Branch refs are what's used today (releases sign during the push-triggered workflow); tag refs are placeholder for any future post-tag re-signing flow without needing another SDK bump. No behavior change for current v3.0.x adopters — branches were already accepted via the `refs/heads/.*` wildcard. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Merged
4 tasks
bokelley
added a commit
to adcontextprotocol/adcp
that referenced
this pull request
May 1, 2026
…3793) * docs(security): cosign verify-blob trust model + cert-subject lookup Adds docs/reference/verifying-protocol-tarballs.mdx covering the keyless Sigstore trust model for AdCP protocol bundles, the recommended verify-blob invocation, and a per-release cert-subject table so consumers know what to expect. Updates docs/building/schemas-and-sdks.mdx to use the canonical refs/(heads|tags)/.* regex (was refs/heads/.*) and link to the new doc. The new doc explains why a wildcard branch component is correct: the release.yml workflow's own on.push.branches allowlist is what gates which refs can produce a signature, so mirroring that list in every consumer's regex was a maintenance liability that silently broke v3.0.1+ verification when the 3.0.x maintenance branch was cut. Companion SDK fixes: adcontextprotocol/adcp-client#1243 (TS), adcontextprotocol/adcp-client-python#343 (Python). adcp-go was already on the canonical pattern. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(docs): add og:title to verifying-protocol-tarballs (CI seo check) --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Small consistency change: `scripts/sync_schemas.py`'s `COSIGN_IDENTITY_REGEX` already accepts any branch ref (`refs/heads/.`); this PR also accepts tag refs (`refs/tags/.`) for forward-compat with any future post-tag re-signing flow.
```diff
```
Why
Aligns with the other two SDKs:
Branch refs are what's used by the AdCP release workflow today (cosign signs during the push-triggered run, so the OIDC subject is `release.yml@refs/heads/`). Tag refs are forward-compat — if upstream ever adds a post-tag re-signing flow (so the cert subject becomes `release.yml@refs/tags/v3.0.X`), no SDK bump needed.
No behavior change for current v3.0.x adopters
`refs/heads/.*` already accepts `refs/heads/3.0.x`, so this SDK has been verifying v3.0.1, v3.0.2, v3.0.3 correctly. The TS SDK has been broken for those releases (PR #1243 fixes that); this PR just rounds out the consistency story.
Test plan
🤖 Generated with Claude Code