Autograph is a cryptographic signature service that implements Content-Signature, XPI Signing for Firefox web extensions, MAR Signing for Firefox updates, APK Signing for Android, GPG2 and RSA.
Why is it called "autograph"? Because it's a service to sign stuff.
Use Docker whenever possible. The golang version on your machine is likely not the correct version for autograph.
docker pull mozilla/autograph && docker run mozilla/autograph
This will download the latest build of autograph from DockerHub and run it with its dev configuration.
(This process will start a number of gpg-agent
processes on your host machine,
then does a killall gpg-agent
to clean up.)
After making any changes, please test locally by:
make build # updates local docker images
make integration-test # must pass
docker compose up # runs unit tests in container, must pass
Note: you must monitor the output of docker to detect when the unit tests have
completed. Otherwise, it will run forever with heartbeat messages. The following
pipeline is useful (and available in the Makefile as target test-in-docker
):
docker compose up 2>&1 | tee compose.log \
| (grep --silent "autograph-unit-test exited with code" && docker compose down; \
grep "autograph-unit-test" compose.log)
Do Not Use unless you are an experienced golang developer.
If you don't yet have a GOPATH, export one:
$ export GOPATH=$HOME/go
$ mkdir $GOPATH
Install ltdl:
- on Ubuntu: ltdl-dev
- on RHEL/Fedora/Arch: libtool-ltdl-devel
- on MacOS: libtool (NB: this might require
brew unlink libtool && brew link libtool
)
Then download and build autograph:
$ go get github.com/mozilla-services/autograph
The resulting binary will be placed in $GOPATH/bin/autograph
. To run autograph with the example conf, do:
$ cd $GOPATH/src/github.com/mozilla-services/autograph
$ $GOPATH/bin/autograph -c autograph.yaml
Example clients are in the tools
directory. You can install the Go one like this:
$ go get github.com/mozilla-services/autograph/tools/autograph-client
$ $GOPATH/bin/autograph-client -u alice -p fs5wgcer9qj819kfptdlp8gm227ewxnzvsuj9ztycsx08hfhzu -t http://localhost:8000/sign/data -r '[{"input": "Y2FyaWJvdW1hdXJpY2UK"}]'
2016/08/23 17:25:55 signature 0 pass
Autograph exposes a REST API that services can query to request signature of their data. Autograph knows which key should be used to sign the data of a service based on the service's authentication token. Access control and rate limiting are performed at that layer as well.