autograph-edge

command module
v0.0.0-...-c3aa97b Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Oct 8, 2025 License: MPL-2.0 Imports: 23 Imported by: 0

README

[!IMPORTANT]
This repository has been archived since Oct 8, 2025 as there are no more users. More details can be found in AUT-450. Work is planned to support signing from GitHub Actions or Bitrise using hosted github action runner (AUT-468) if Autograph signing is required outside of the supported relying parties.

CircleCI

Coverage Status

Autograph edge

This is a small webapp that provides a public endpoint to autograph, without exposing the entire service to the internet. It only supports XPI and APK signing, and provides fine grained access control to only give clients the ability to sign a given apk or xpi.

Client are expected to use curl - or similar - to interact with the webapp. An unsigned file is submitted to the /sign/ endpoint along with an authorization client_token. The HTTP response contains the signed file.

curl -F "input=@/tmp/unsigned.apk" -o /tmp/signed.apk \
    -H "Authorization: <secret token>" \
    https://autograph-edge.example.com/sign

Configuration

The yaml file autograph-edge.yaml the location of the autograph server in url and a list of authorizations.

authorizations:
    - client_token: c4180d2963fffdcd1cd5a1a343225288b964d8934b809a7d76941ccf67cc8547
      addonid: [email protected]
      user: alice
      key: fs5wgcer9qj819kfptdlp8gm227ewxnzvsuj9ztycsx08hfhzu
      signer: extensions-ecdsa

Each authorization has a client_token that clients send in their Authorization HTTP headers.

The authorization also has a user, key and signer that are used to call autograph (therefore these configuration items must come from the autograph config).

If the authorization is for an add-on, it must also contain an addonid, which is the ID of the add-on being signed. It can also include the optional params:

  • addonpkcs7digest, a string of the PKCS7 digest algorithm to use ("SHA1" or "SHA256"). Defaults to "SHA1".
  • addoncosealgorithms, an array of strings for COSE Algorithms to sign the addon with. Defaults to an empty list [].

The sample configuration file in this repository can get you started.

Note that the client_token must be longer than 60 characters. You should use openssl rand -hex 32 to generate it.

Documentation

The Go Gopher

There is no documentation for this package.

Source Files

View all Source files

Directories

Path Synopsis
Package mock_main is a generated GoMock package.
 Package mock_main is a generated GoMock package.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.