sign method

Future<String> sign(
  1. List<int> data, {
  2. ServiceAccountCredentials? serviceAccountCredentials,
  3. String? serviceAccountEmail,
  4. String? endpoint,
})

Signs the given data using the credentials from this auth client.

This method has three modes of operation depending on the client and parameters:

  1. Impersonated client: If this client is an ImpersonatedAuthClient, signing is delegated to its sign method. The serviceAccountCredentials, serviceAccountEmail, and endpoint parameters of this extension method are ignored.

  2. Local signing with private key: If serviceAccountCredentials are provided, they are used to sign the data locally using RSA-SHA256 if the credentials have a private key. The serviceAccountEmail and endpoint parameters are ignored.

  3. IAM API signing: Otherwise, this will call the IAM Credentials API signBlob endpoint.

    • The serviceAccountEmail can be provided to specify which service account to use. If not provided, it will be inferred from the environment (e.g., GCE metadata server).
    • The endpoint is an optional custom IAM Credentials API endpoint. This is useful when working with different universe domains. If not provided, the endpoint is automatically determined from the credential's universe domain (e.g., https://iamcredentials.googleapis.com for the default universe, or a custom universe domain from the service account JSON).

Returns the signature as a String (base64-encoded).

Example:

import 'dart:convert';

final client = await clientViaServiceAccount(credentials, scopes);
final data = utf8.encode('data to sign');
final signature = await client.sign(
  data,
  serviceAccountCredentials: credentials,
);
print('Signature (base64): ${signature.signedBlob}');

Implementation

Future<String> sign(
  List<int> data, {
  ServiceAccountCredentials? serviceAccountCredentials,
  String? serviceAccountEmail,
  String? endpoint,
}) async {
  // Check if this is an impersonated client
  if (this is ImpersonatedAuthClient) {
    final impersonated = this as ImpersonatedAuthClient;
    return (await impersonated.sign(data)).signedBlob;
  }

  if (serviceAccountCredentials != null) {
    // Use local signing with service account credentials
    return base64Encode(serviceAccountCredentials.sign(data));
  }

  return (await signBlob(
    this,
    data,
    serviceAccountEmail: serviceAccountEmail,
    endpoint: endpoint,
  )).signedBlob;
}