generationThis change amends the `http-signature-dir` to print an error logwhendirectories mistakenly sign `@authority` without the `req`parameter.It fixes a bug with the example signature agent card generation whereonly the host component was used to sign `@authority`, rather than thefull host and port pair (i.e. the _actual_ authority component). Thisled to verifiers being unable to verify generated signatures.It fixes some minor comments and superfluous Github Actions changes,and does some basic refactoring to make the logic a bit morestraightforward in the example. Importantly, it also adds the`alg` parameter in generated signatures - this is in line with theopinionated signing we do, whereby other elements normal to web bot authare also enforced for arbitrary HTTP signatures.

These include some pretty significant and breaking changes:1. Dependency on `time` library is now required instead of `std::time`   for all API users. As a bonus, however, we gain support on Cloudflare   Workers as well as removal of a class of errors related to system   clocks and `created` / `expires` parsing.2. A number of constructs were removed: `WebBotAuthSignedMessage`,   `SignedMessage::fetch_all_signature_headers` and   `SignedMessage::fetch_all_signature_inputs`. The library now exposes   a single method to look up components to verify.3. `Signature-Agent` can now be parsed as a dictionary, but retains   support for being parsed as a raw string.4. It enforces use of `req` parameter in `http-message-dir`. This is in   line with the specification, but can break verification of existing   sites.These changes are sufficiently breaking enough to justify using semverbump.I also removed the pin to Rust v1.87 in the Github Actions handler. Thisensures we're building against the latest available Rust version.

thibmeu left a comment