Conversation
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 0619cb0d4c
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
|
|
||
| .. code-block:: bash | ||
|
|
||
| flwr login |
There was a problem hiding this comment.
flwr login supergrid before app review
This step is likely to fail for default installs because flwr app review loads credentials for SUPERGRID_ADDRESS (framework/py/flwr/cli/app_cmd/review.py), while flwr login without an argument authenticates the current default SuperLink connection (which defaults to local in DEFAULT_FLOWER_CONFIG_TOML). In that common setup, users following this doc will hit Please log in before reviewing app. when they run review; the command here should explicitly match the SuperGrid login flow already documented in how-to-publish-app-on-hub.rst (flwr login supergrid).
Useful? React with 👍 / 👎.
There was a problem hiding this comment.
Pull request overview
Adds a new Flower Hub how-to guide documenting app signing/review workflows and links it from existing Hub documentation so users can learn how to evaluate and trust app signatures.
Changes:
- Add a new “Sign Hub Apps” how-to guide covering key generation, account key registration, and
flwr app review. - Link the new signing guide from the Hub docs index and from the “use app” / “publish app” guides via tips.
- Update the How-to Guides toctree to include the new page.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| hub/docs/source/index.rst | Adds the new signing guide to the Hub “How-to Guides” toctree. |
| hub/docs/source/how-to-use-app-from-hub.rst | Adds a tip directing readers to check app verifications and linking to the signing guide. |
| hub/docs/source/how-to-sign-hub-apps.rst | New documentation page explaining how signing works and how to sign apps via CLI. |
| hub/docs/source/how-to-publish-app-on-hub.rst | Adds a tip pointing publishers to the signing guide for trusted reviewer verification. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| Generate an Ed25519 key pair in OpenSSH format: | ||
|
|
||
| .. code-block:: bash | ||
|
|
||
| ssh-keygen -t ed25519 -f hub_signing_key -C "hub-review-key" | ||
|
|
||
| This creates: | ||
|
|
||
| - :code:`hub_signing_key` (private key, keep secret) | ||
| - :code:`hub_signing_key.pub` (public key) | ||
|
|
There was a problem hiding this comment.
The guide suggests generating an OpenSSH Ed25519 key with ssh-keygen, but the current CLI loader uses serialization.load_ssh_private_key(..., password=None), which does not support passphrase-protected keys. To prevent users from generating an encrypted key that flwr app review can't load, consider documenting that the key must be unencrypted (e.g., set an empty passphrase, or show ssh-keygen ... -N "").
| Generate an Ed25519 key pair in OpenSSH format: | |
| .. code-block:: bash | |
| ssh-keygen -t ed25519 -f hub_signing_key -C "hub-review-key" | |
| This creates: | |
| - :code:`hub_signing_key` (private key, keep secret) | |
| - :code:`hub_signing_key.pub` (public key) | |
| Generate an unencrypted Ed25519 key pair in OpenSSH format: | |
| .. code-block:: bash | |
| ssh-keygen -t ed25519 -f hub_signing_key -C "hub-review-key" -N "" | |
| This creates: | |
| - :code:`hub_signing_key` (private key, keep secret) | |
| - :code:`hub_signing_key.pub` (public key) | |
| .. note:: | |
| The private key used with :code:`flwr app review` must currently be | |
| unencrypted. Passphrase-protected OpenSSH private keys are not supported by | |
| the current loader, so use an empty passphrase when generating the key. |
github-actions
bot
added
the
Maintainer
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 4329f77b1a
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
|
|
||
| .. code-block:: bash | ||
|
|
||
| ssh-keygen -t ed25519 -f hub_signing_key -C "hub-review-key" |
There was a problem hiding this comment.
The ssh-keygen example here can produce a passphrase-protected key, but flwr app review currently loads keys with serialization.load_ssh_private_key(..., password=None) (framework/py/flwr/supercore/primitives/asymmetric_ed25519.py:169-173), so encrypted OpenSSH keys fail during signing. Users who follow this guide and set a passphrase will hit private-key load errors despite using Ed25519/OpenSSH, so this step should explicitly require an unencrypted key (or document that passphrase-protected keys are unsupported).
Useful? React with 👍 / 👎.
No description provided.