Autograph is a cryptographic signature service that implements Content-Signature, XPI Signing for Firefox web extensions, MAR Signing for Firefox updates, APK Signing for Android, GPG2 and RSA.
Why is it called "autograph"? Because it's a service to sign stuff.
Use Docker whenever possible. The golang version on your machine is likely not the corect version for autograph.
docker pull mozilla/autograph && docker run mozilla/autograph
This will download the latest build of autograph from DockerHub and run it with its dev configuration.
| WARNING! | These tests may break or delete your gpg setup. |
If your are lucky, it will leave you alone. (It starts a number of gpg-agent
processes, then does a killall gpg-agent to clean up.) However, I've lost my
entire ~/.gnupg setup. I strongly recommend: tar czf ~/gnupg.tgz ~/.gnupg
before starting.
After making any changes, please test locally by:
make build # updates local docker images
make integration-test # must pass
docker compose up # runs unit tests in container, must passNote: you must monitor the output of docker to detect when the unit tests have completed. Otherwise, it will run forever with heartbeat messages. The following pipeline is useful:
docker compose up 2>&1 | tee compose.log \
| (grep --silent "autograph-unit-test exited with code" && docker compose down; \
grep "autograph-unit-test" compose.log)As of 2023-06-26, only the integration tests will pass on Circle CI. See Issue 853 for details.
Do Not Use unless you are an experienced golang developer.
If you don't yet have a GOPATH, export one:
$ export GOPATH=$HOME/go
$ mkdir $GOPATHInstall ltdl:
- on Ubuntu: ltdl-dev
- on RHEL/Fedora/Arch: libtool-ltdl-devel
- on MacOS: libtool (NB: this might require
brew unlink libtool && brew link libtool)
Then download and build autograph:
$ go get github.com/mozilla-services/autographThe resulting binary will be placed in $GOPATH/bin/autograph. To run autograph with the example conf, do:
$ cd $GOPATH/src/github.com/mozilla-services/autograph
$ $GOPATH/bin/autograph -c autograph.yamlExample clients are in the tools directory. You can install the Go one like this:
$ go get github.com/mozilla-services/autograph/tools/autograph-client
$ $GOPATH/bin/autograph-client -u alice -p fs5wgcer9qj819kfptdlp8gm227ewxnzvsuj9ztycsx08hfhzu -t http://localhost:8000/sign/data -r '[{"input": "Y2FyaWJvdW1hdXJpY2UK"}]'
2016/08/23 17:25:55 signature 0 passAutograph exposes a REST API that services can query to request signature of their data. Autograph knows which key should be used to sign the data of a service based on the service's authentication token. Access control and rate limiting are performed at that layer as well.
