Skip to content

Commit 8068adf

Browse files
LeechaelLeechael
committed
docs(go-sdk): use timestamped env key verification examples
1 parent 5a84fab commit 8068adf

File tree

1 file changed

+15
-2
lines changed

1 file changed

+15
-2
lines changed

sdk/go/README.md

Lines changed: 15 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -289,6 +289,7 @@ The SDK provides end-to-end encryption capabilities for securely transmitting se
289289
import (
290290
"encoding/hex"
291291
"fmt"
292+
"time"
292293

293294
"github.com/Dstack-TEE/dstack/sdk/go/dstack"
294295
)
@@ -310,13 +311,23 @@ signature := "e1f2g3h4..." // From KMS API
310311
publicKeyBytes, _ := hex.DecodeString(publicKey)
311312
signatureBytes, _ := hex.DecodeString(signature)
312313

313-
trustedPubkey, err := dstack.VerifyEnvEncryptPublicKey(publicKeyBytes, signatureBytes, "your-app-id-hex")
314+
// Prefer timestamped verification to prevent replay attacks.
315+
timestamp := uint64(time.Now().Unix()) // should come from KMS API response
316+
trustedPubkey, err := dstack.VerifyEnvEncryptPublicKeyWithTimestamp(
317+
publicKeyBytes,
318+
signatureBytes,
319+
"your-app-id-hex",
320+
timestamp,
321+
nil, // use default freshness policy (max age 300s)
322+
)
314323
if err != nil || trustedPubkey == nil {
315324
log.Fatal("KMS API provided untrusted encryption key")
316325
}
317326

318327
fmt.Println("Verified KMS public key:", hex.EncodeToString(trustedPubkey))
319328

329+
// Note: VerifyEnvEncryptPublicKey() is kept for legacy compatibility (without timestamp check).
330+
320331
// 4. Encrypt environment variables for secure deployment
321332
encryptedData, err := dstack.EncryptEnvVars(envVars, publicKey)
322333
if err != nil {
@@ -608,6 +619,7 @@ Verify the authenticity of encryption public keys provided by KMS APIs:
608619
```go
609620
import (
610621
"encoding/hex"
622+
"time"
611623
"github.com/Dstack-TEE/dstack/sdk/go/dstack"
612624
)
613625

@@ -616,7 +628,8 @@ publicKey, _ := hex.DecodeString("e33a1832c6562067ff8f844a61e51ad051f1180b66ec25
616628
signature, _ := hex.DecodeString("8542c49081fbf4e03f62034f13fbf70630bdf256a53032e38465a27c36fd6bed7a5e7111652004aef37f7fd92fbfc1285212c4ae6a6154203a48f5e16cad2cef00")
617629
appID := "0000000000000000000000000000000000000000"
618630

619-
kmsIdentity, err := dstack.VerifyEnvEncryptPublicKey(publicKey, signature, appID)
631+
timestamp := uint64(time.Now().Unix()) // should come from KMS API response
632+
kmsIdentity, err := dstack.VerifyEnvEncryptPublicKeyWithTimestamp(publicKey, signature, appID, timestamp, nil)
620633

621634
if err == nil && kmsIdentity != nil {
622635
fmt.Println("Trusted KMS identity:", hex.EncodeToString(kmsIdentity))

0 commit comments

Comments
 (0)