From 55f5ef07f9245c370e04bc0a6b1cc994d9b044bc Mon Sep 17 00:00:00 2001
From: Jon Wayne Parrott <jonwayne@google.com>
Date: Tue, 13 Dec 2016 14:46:43 -0800
Subject: [PATCH 1/2] Add app_engine.Signer

---
 google/auth/app_engine.py | 33 +++++++++++++++++++++++++++++----
 google/auth/crypt.py      |  2 +-
 2 files changed, 30 insertions(+), 5 deletions(-)

diff --git a/google/auth/app_engine.py b/google/auth/app_engine.py
index 608651d84..56800df93 100644
--- a/google/auth/app_engine.py
+++ b/google/auth/app_engine.py
@@ -12,10 +12,10 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-"""Google App Engine standard environment credentials.
+"""Google App Engine standard environment support.
 
-This module provides authentication for application running on App Engine in
-the standard environment using the `App Identity API`_.
+This module provides authentication and signing for applications running on App
+Engine in the standard environment using the `App Identity API`_.
 
 
 .. _App Identity API:
@@ -33,6 +33,31 @@
     app_identity = None
 
 
+class Signer(object):
+    """Signs messages using the App Engine app identity service.
+
+    This can be used in place of :class:`google.auth.crypt.Signer` when
+    running in the App Engine standard environment.
+    """
+    def __init__(self):
+        self.key_id = None
+
+    def sign(self, message):
+        """Signs a message.
+
+        Args:
+            message (Union[str, bytes]): The message to be signed.
+
+        Returns:
+            bytes: The signature of the message.
+        """
+        # pylint: disable=no-self-use
+        # Locally disabled because this needs to confirm the to Signer
+        # interface.
+        message = _helpers.to_bytes(message)
+        return app_identity.sign_blob(message)
+
+
 def get_project_id():
     """Gets the project ID for the current App Engine application.
 
@@ -109,7 +134,7 @@ def with_scopes(self, scopes):
 
     @_helpers.copy_docstring(credentials.Signing)
     def sign_bytes(self, message):
-        return app_identity.sign_blob(message)
+        return Signer().sign(message)
 
     @property
     @_helpers.copy_docstring(credentials.Signing)
diff --git a/google/auth/crypt.py b/google/auth/crypt.py
index d347600f0..c3ea2e6d8 100644
--- a/google/auth/crypt.py
+++ b/google/auth/crypt.py
@@ -186,7 +186,7 @@ def sign(self, message):
             message (Union[str, bytes]): The message to be signed.
 
         Returns:
-            bytes: The signature of the message for the given key.
+            bytes: The signature of the message.
         """
         message = _helpers.to_bytes(message)
         return rsa.pkcs1.sign(message, self._key, 'SHA-256')

From a0272443e16f216a0daa2af04a8f27919df8fd3e Mon Sep 17 00:00:00 2001
From: Jon Wayne Parrott <jonwayne@google.com>
Date: Tue, 13 Dec 2016 16:04:48 -0800
Subject: [PATCH 2/2] Address comments

---
 google/auth/app_engine.py | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/google/auth/app_engine.py b/google/auth/app_engine.py
index 56800df93..846bcec08 100644
--- a/google/auth/app_engine.py
+++ b/google/auth/app_engine.py
@@ -42,7 +42,8 @@ class Signer(object):
     def __init__(self):
         self.key_id = None
 
-    def sign(self, message):
+    @staticmethod
+    def sign(message):
         """Signs a message.
 
         Args:
@@ -51,9 +52,6 @@ def sign(self, message):
         Returns:
             bytes: The signature of the message.
         """
-        # pylint: disable=no-self-use
-        # Locally disabled because this needs to confirm the to Signer
-        # interface.
         message = _helpers.to_bytes(message)
         return app_identity.sign_blob(message)