User:Catlee/AutomatedSigning
From MozillaWiki
Prototype
Current implementation is at http://hg.mozilla.org/users/catlee_mozilla.com/tools/file/signing-server/release/signing
Server
The server can currently be run without arguments:
python signing-server.py
It expects a bunch of files and directories to be available locally (http://hg.mozilla.org/users/catlee_mozilla.com/tools/file/fb470aacc74d/release/signing/signing-server.py#l207):
- signscript.sh - the script that does the actual signing. It gets called with 4 arguments: outputdir, hash, inputfile, orig_filename.
- host.pem - SSL private key and certificate to use for the web server
- signed-files / unsigned-file - directories for unsigned, signed files
- secrets - a list of acceptable secret values, one per line
Client
The client takes a bunch of arguments:
python signing-client.py -H localhost -p 8080 -c host.cert -s ~/.ssh/ffxbld_dsa -o foo-signed foo
Will sign 'foo' and save it as 'foo-signed'
Dependencies
- paste - for threaded HTTPS server
- IPy - for IP address calculation and validation on the server
- poster - for multipart/form-encode uploads on the client
TODO
- Make server parameters configurable via .ini for cmdline
- Have a real set of acceptable filenames and network addresses
- Implement a real signing script
- Test it!
- Remove unnecessary dependencies (poster maybe?)
Protocol
Run a web app on keymaster that has a basic API:
POST /sign filedata=... sha1=... filename=... secret=... returns a signing id
HEAD /sign/<filehash>[.out|.status] indicates if file is available
GET /sign/<filehash>[.out|.status] returns file
secret is a pre-arranged secret value. One example would be the sha1sum of ~/.ssh/ffxbld_dsa. The server has a list of acceptable secret values.
Notes
- Connection between slave and keymaster must be encrypted (https)
- app on keymaster must have a list of acceptable files to sign (e.g. Firefox X.Y.Z.exe, not files inside archives)
- signing app must have minimum binary size to sign. should sanity check sizes
- restrict connections by IP
- slave should include a hash or other transformation of .ssh/ffxbld so signing app can verify that it is indeed a build slave