From MozillaWiki
Jump to: navigation, search


Current implementation is at


The server can currently be run without arguments:


It expects a bunch of files and directories to be available locally (

  • - the script that does the actual signing. It gets called with 4 arguments: outputdir, hash, inputfile, orig_filename.
  • host.pem - SSL private key and certificate to use for the web server
  • signed-files / unsigned-file - directories for unsigned, signed files
  • secrets - a list of acceptable secret values, one per line


The client takes a bunch of arguments:

 python -H localhost -p 8080 -c host.cert -s ~/.ssh/ffxbld_dsa -o foo-signed foo

Will sign 'foo' and save it as 'foo-signed'


  • paste - for threaded HTTPS server
  • IPy - for IP address calculation and validation on the server
  • poster - for multipart/form-encode uploads on the client


  • Make server parameters configurable via .ini for cmdline
  • Have a real set of acceptable filenames and network addresses
  • Implement a real signing script
  • Test it!
  • Remove unnecessary dependencies (poster maybe?)


Run a web app on keymaster that has a basic API:

  POST /sign
  returns a signing id
  HEAD /sign/<filehash>[.out|.status]
    indicates if file is available
  GET /sign/<filehash>[.out|.status]
    returns file

secret is a pre-arranged secret value. One example would be the sha1sum of ~/.ssh/ffxbld_dsa. The server has a list of acceptable secret values.


  • Connection between slave and keymaster must be encrypted (https)
  • app on keymaster must have a list of acceptable files to sign (e.g. Firefox X.Y.Z.exe, not files inside archives)
  • signing app must have minimum binary size to sign. should sanity check sizes
  • restrict connections by IP
  • slave should include a hash or other transformation of .ssh/ffxbld so signing app can verify that it is indeed a build slave