Signature

[Keyrxng]

It's my understanding that the signature has been returned as a means of authentication between kernel and plugins.

• Most action plugins have a step which exposes the entire payload sent from the kernel, so it's also exposed, is this an issue?
• If it is, we know that GitHub automatically hides any variables that start/end with token, so while it may be hacky we could rename this like kernel-access-token or something and it'll be converted to ****

[0x4007]

@whilefoo @gentlementlegen rfc

[whilefoo]

Exposing the signature should not be a problem because you can't recover the private key from the signature

[Keyrxng]

Got it, it seemed to me that if someone copied and pasted a signature from any plugin they'd be able to get that signature verified but I'm unclear on the exact specifics of things but thanks for clearing it up @whilefoo

https://github.com/ubiquity-os/ubiquity-os-kernel/blob/ebf9635567d9dd872a411fba3ed03e03f51057be/src/sdk/signature.ts#L20