项目作者: mozilla-services

项目描述 :
数字签名微服务
高级语言: Go
项目地址: git://github.com/mozilla-services/autograph.git
创建时间: 2016-01-05T17:55:26Z
项目社区:https://github.com/mozilla-services/autograph

开源协议:Mozilla Public License 2.0

下载


Autograph

Autograph is a cryptographic signature service that implements
Content-Signature,
XPI Signing for Firefox web extensions,
MAR Signing for Firefox updates,
APK Signing for Android,
GPG2
and RSA.

CircleCI
Coverage Status
Dependabot Status

Why is it called “autograph”? Because it’s a service to sign stuff.

Installation

Use Docker whenever possible. The golang version on your machine is likely not the correct version for autograph.

Using Docker

docker pull mozilla/autograph && docker run mozilla/autograph

This will download the latest build of autograph from DockerHub and run it with its dev configuration.

Local Development

Local Development with Docker

(This process will start a number of gpg-agent processes on your host machine,
then does a killall gpg-agent to clean up.)

After making any changes, please test locally by:

  1. make build # updates local docker images
  2. make integration-test # must pass
  3. docker compose run unit-test # runs unit tests in container, must pass

[!Note]
You must monitor the output of docker to detect when the unit tests have completed. Otherwise, it will run forever with heartbeat messages. The following pipeline is useful (and available in the Makefile as target test-in-docker):
FIXME: Note dependency between autograph app and monitor and all the Dockerfiles

  1. docker compose up 2>&1 | tee compose.log \
  2. | (grep --silent "autograph-unit-test exited with code" && docker compose down; \
  3. grep "autograph-unit-test" compose.log)

Running autograph in docker interactively

There are two make commands to help troubleshoot the docker environment. Ex: install additional packages, modify code, rebuild, etc.

  1. make build-and-run-interactive
  2. make pull-and-run-interactive

Using go get

Do Not Use unless you are an experienced golang developer.

If you don’t yet have a GOPATH, export one:

  1. $ export GOPATH=$HOME/go
  2. $ mkdir $GOPATH

Install ltdl:

  • on Ubuntu: ltdl-dev
  • on RHEL/Fedora/Arch: libtool-ltdl-devel
  • on MacOS: libtool (NB: this might require brew unlink libtool && brew link libtool)

Then download and build autograph:

  1. $ go get github.com/mozilla-services/autograph

The resulting binary will be placed in $GOPATH/bin/autograph. To run autograph with the example conf, do:

  1. $ cd $GOPATH/src/github.com/mozilla-services/autograph
  2. $ $GOPATH/bin/autograph -c autograph.yaml

Example clients are in the tools directory. You can install the Go one like this:

  1. $ go get github.com/mozilla-services/autograph/tools/autograph-client
  2. $ $GOPATH/bin/autograph-client -u alice -p fs5wgcer9qj819kfptdlp8gm227ewxnzvsuj9ztycsx08hfhzu -t http://localhost:8000/sign/data -r '[{"input": "Y2FyaWJvdW1hdXJpY2UK"}]'
  3. 2016/08/23 17:25:55 signature 0 pass

Documentation

Signers

Signing

Autograph exposes a REST API that services can query to request signature of
their data. Autograph knows which key should be used to sign the data of a
service based on the service’s authentication token. Access control and rate
limiting are performed at that layer as well.

signing.png