-
Notifications
You must be signed in to change notification settings - Fork 7
Expand file tree
/
Copy pathverify.php
More file actions
64 lines (49 loc) · 2.02 KB
/
Copy pathverify.php
File metadata and controls
64 lines (49 loc) · 2.02 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
<?php
require 'vendor/autoload.php';
use GuzzleHttp\Client;
class GithubSignatureVerifier
{
public const GITHUB_SECRET_SCANNING_KEYS_URI = "https://api.github.com/meta/public_keys/secret_scanning";
public const GITHUB_COPILOT_KEYS_URI = "https://api.github.com/meta/public_keys/copilot_api";
protected const ALGORITHM = OPENSSL_ALGO_SHA256;
public static function verify(string $signature, string $publicKey, string $token, string $payload): bool
{
// Fetch public keys from GitHub
$client = new Client();
$options = [];
if (!empty($token)) {
$options['headers'] = [
'Authorization' => 'Bearer ' . $token,
];
}
$response = $client->get(self::GITHUB_SECRET_SCANNING_KEYS_URI, $options);
$keyResponse = json_decode($response->getBody()->getContents());
foreach ($keyResponse->public_keys as $key) {
if ($key->key_identifier === $publicKey) {
$publicKey = $key->key;
break;
}
}
if (!$publicKey) {
echo 'Public key not found for copilot request';
return false;
}
$key = openssl_pkey_get_public($publicKey);
$valid = openssl_verify($payload, base64_decode($signature), $key, self::ALGORITHM);
if ($valid < 0) {
echo 'Error verifying signature: ' . openssl_error_string();
return false;
}
return $valid === 1;
}
}
const PAYLOAD = '[{"source":"commit","token":"some_token","type":"some_type","url":"https://example.com/base-repo-url/"}]';
const SIGNATURE = "MEQCIQDaMKqrGnE27S0kgMrEK0eYBmyG0LeZismAEz/BgZyt7AIfXt9fErtRS4XaeSt/AO1RtBY66YcAdjxji410VQV4xg==";
const KEY_IDENTIFIER = "bcb53661c06b4728e59d897fb6165d5c9cda0fd9cdf9d09ead458168deb7518c";
$token = getenv('GITHUB_PRODUCTION_TOKEN');
$isValid = GithubSignatureVerifier::verify(SIGNATURE, KEY_IDENTIFIER, $token, PAYLOAD);
if ($isValid) {
echo "Signature is valid.";
} else {
echo "Signature is invalid.";
}