User:Catlee/AutomatedSigning

From MozillaWiki
Jump to: navigation, search

Prototype

Current implementation is at http://hg.mozilla.org/users/catlee_mozilla.com/tools/file/signing-server/release/signing

Server

The server can currently be run without arguments: 

 python signing-server.py

It expects a bunch of files and directories to be available locally (http://hg.mozilla.org/users/catlee_mozilla.com/tools/file/fb470aacc74d/release/signing/signing-server.py#l207):

  • signscript.sh - the script that does the actual signing. It gets called with 4 arguments: outputdir, hash, inputfile, orig_filename.
  • host.pem - SSL private key and certificate to use for the web server
  • signed-files / unsigned-file - directories for unsigned, signed files
  • secrets - a list of acceptable secret values, one per line

Client

The client takes a bunch of arguments: 

 python signing-client.py -H localhost -p 8080 -c host.cert -s ~/.ssh/ffxbld_dsa -o foo-signed foo

Will sign 'foo' and save it as 'foo-signed'

Dependencies

  • paste - for threaded HTTPS server
  • IPy - for IP address calculation and validation on the server
  • poster - for multipart/form-encode uploads on the client

TODO

  • Make server parameters configurable via .ini for cmdline
  • Have a real set of acceptable filenames and network addresses
  • Implement a real signing script
  • Test it!
  • Remove unnecessary dependencies (poster maybe?)

Protocol

Run a web app on keymaster that has a basic API: 

  POST /sign
    filedata=...
    sha1=...
    filename=...
    secret=...
  returns a signing id

  HEAD /sign/<filehash>[.out|.status]
    indicates if file is available

  GET /sign/<filehash>[.out|.status]
    returns file

secret is a pre-arranged secret value. One example would be the sha1sum of ~/.ssh/ffxbld_dsa. The server has a list of acceptable secret values.

Notes

  • Connection between slave and keymaster must be encrypted (https)
  • app on keymaster must have a list of acceptable files to sign (e.g. Firefox X.Y.Z.exe, not files inside archives)
  • signing app must have minimum binary size to sign. should sanity check sizes
  • restrict connections by IP
  • slave should include a hash or other transformation of .ssh/ffxbld so signing app can verify that it is indeed a build slave
Retrieved from "https://wiki.mozilla.org/index.php?title=User:Catlee/AutomatedSigning&oldid=270328"