mozilla-services / autograph-edge Goto Github PK
View Code? Open in Web Editor NEWPublic endpoint of the Autograph signing service
Home Page: https://hub.docker.com/r/mozilla/autographedge/
Public endpoint of the Autograph signing service
Home Page: https://hub.docker.com/r/mozilla/autographedge/
The second signer will use the first's signer.
run tests against the built docker image or at least test that the image runs in CI
This Mozilla repository has been identified as lacking a license. Consistent with Mozilla's Licensing Policy an open source license should be applied to the code in this repository.
Please add an appropriate LICENSE.md file to the root directory of the project. In general, Mozilla's licensing policies are as follows:
Client-side products created by Mozilla employees or contributors should use the Mozilla Public License, Version 2.0 (MPL).
Server-side products or utilities that support Mozilla products may use either the MPL or the Apache License 2.0 (Apache 2.0).
In special cases, another license might be appropriate. If the repository is a fork of another repository it must apply the license of the original. Similarly, another license might be appropriate to match that of a broader project (for example Rust crates that Firefox depends on are published under an Apache 2.0 / MIT dual license, as that is the dual license used by the Rust programming language and projects).
Please ensure that any license added to the LICENSE.md file matches other licensing information in the repository (for example, it should match any license indicated in a setup.py or package.json file).
Mozilla staff can access more information in our Software Licensing Runbook – search for “Licensing Runbook” in Confluence to find it.
If you have any questions you can contact Daniel Nazer who can be reached at dnazer on Mozilla email or Slack.
OPENLIC-2023-01
we're doing this for the heartbeat endpoint, would be nice to do for version as well
Debian stretch went EOL in 2022, which results in package repository URLs changing. Since the repository URLs are baked into the base image, normal updates no longer work.
The integration tests for autograph-edge use an image based on Debian stretch, so the entire Circle CI process fails. Successfully Circle CI operation is needed for deploying configuration file updates.
The test harness should be updated, but that's a different ticket.
Currently to test a new config locally I need to decrypt the config then change the url.
It would be handy to have a CLI option to override the URL directly, so I don't need to have a decrypted version sitting around or modify the config.
This would probably be -u
--url
defaulting to "" then logs the config url is being overridden with usage: -u http://localhost:8000/sign/file
Right now, post deploy smoke testing is done following hand written notes. Automate it.
As of January 1 2019, Mozilla requires that all GitHub projects include this CODE_OF_CONDUCT.md file in the project root. The file has two parts:
If you have any questions about this file, or Code of Conduct policies and procedures, please reach out to [email protected].
(Message COC001)
refs: fatih/color@3f9d52f
edge images https://hub.docker.com/r/mozilla/autographedge/tags/ are roughly twice the size of https://hub.docker.com/r/mozilla/autograph/tags/ autograph images
Site https://autograph-edge.prod.mozaws.net has failed the SecOps Baseline scan.
The failing tests are:
Strict-Transport-Security Header Not Set [10035] x 3
This issue was automatically raised.
This issue is managed automatically by the baseline scan:
Full details, including how to test for these issues locally, can be found on this Security Baseline Service dashboard.
If you have any questions or concerns please get in contact with @psiinon
Like in the autograph app and pass them along to the client (or provide another set of settings for those).
Site https://autograph-edge.stage.mozaws.net has failed the SecOps Baseline scan.
The failing tests are:
Strict-Transport-Security Header Not Set [10035] x 3
This issue was automatically raised.
This issue is managed automatically by the baseline scan:
Full details, including how to test for these issues locally, can be found on this Security Baseline Service dashboard.
If you have any questions or concerns please get in contact with @psiinon
Per https://mozilla.slack.com/archives/CEMMGTZJ5/p1584400954208400 we got some:
"Post "https://autograph-internal.stage.autograph.services.mozaws.net/sign/file": x509: certificate signed by unknown authority"
errors.
:ulfr pointed out that golang uses the system trust store and autograph app uses a digicert cert, so we probably want to add https://packages.debian.org/buster/ca-certificates to the base image
In testing, I've inserted or copied the wrong value out a few times (e.g. key
instead of token
). Has anyone else run into this?
possible renaming schemes:
token
to client_token
key
to autograph_key
or autograph_hawk_key
and user
to autograph_user
or autograph_hawk_user
or upstream_
This would be a breaking change, so we'd update the configs and bump a major version number.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.