https://github.com/mozilla-services/autograph-edge

Public endpoint of the Autograph signing service
https://github.com/mozilla-services/autograph-edge

Last synced: 3 months ago
JSON representation

Public endpoint of the Autograph signing service

• Host: GitHub
• URL: https://github.com/mozilla-services/autograph-edge
• Owner: mozilla-services
• Created: 2018-06-01T13:39:22.000Z (about 6 years ago)
• Default Branch: main
• Last Pushed: 2023-11-14T23:15:50.000Z (7 months ago)
• Last Synced: 2024-01-16T20:15:19.116Z (5 months ago)
• Language: Go
• Homepage: https://hub.docker.com/r/mozilla/autographedge/
• Size: 517 KB
• Stars: 4
• Watchers: 10
• Forks: 5
• Open Issues: 11
• Metadata Files:
  • Readme: README.md
  • Code of conduct: CODE_OF_CONDUCT.md

Lists

• awesome-stars - mozilla-services/autograph-edge - Public endpoint of the Autograph signing service (Go)
• awesome - mozilla-services/autograph-edge - Public endpoint of the Autograph signing service (others)

README

        
[![CircleCI](https://circleci.com/gh/mozilla-services/autograph-edge.svg?style=svg)](https://circleci.com/gh/mozilla-services/autograph-edge)

[![Coverage Status](https://coveralls.io/repos/github/mozilla-services/autograph-edge/badge.svg?branch=main)](https://coveralls.io/github/mozilla-services/autograph-edge?branch=main)

Autograph edge

==============

This is a small webapp that provides a public endpoint to autograph,

without exposing the entire service to the internet. It only supports XPI and

APK signing, and provides fine grained access control to only give clients the

ability to sign a given apk or xpi.

Client are expected to use curl - or similar - to interact with the webapp. An

unsigned file is submitted to the `/sign/` endpoint along with an authorization

client_token. The HTTP response contains the signed file.

```bash

curl -F "input=@/tmp/unsigned.apk" -o /tmp/signed.apk \

    -H "Authorization: " \

    https://autograph-edge.example.com/sign

```

Configuration

-------------

The yaml file `autograph-edge.yaml` the location of the autograph server in

`url` and a list of authorizations.

```yaml

authorizations:

    - client_token: c4180d2963fffdcd1cd5a1a343225288b964d8934b809a7d76941ccf67cc8547

      addonid: [email protected]

      user: alice

      key: fs5wgcer9qj819kfptdlp8gm227ewxnzvsuj9ztycsx08hfhzu

      signer: extensions-ecdsa

```

Each authorization has a `client_token` that clients send in their `Authorization` HTTP

headers.

The authorization also has a `user`, `key` and `signer` that are used to call

autograph (therefore these configuration items must come from the autograph

config).

If the authorization is for an add-on, it must also contain an `addonid`, which

is the ID of the add-on being signed. It can also include the optional params:

* `addonpkcs7digest`, a string of the PKCS7 digest algorithm to use

  (`"SHA1"` or `"SHA256"`). Defaults to `"SHA1"`.

* `addoncosealgorithms`, an array of strings for COSE Algorithms to

  sign the addon with. Defaults to an empty list [].

The sample configuration file in this repository can get you started.

Note that the client_token must be longer than 60 characters. You should use `openssl

rand -hex 32` to generate it.