Create certificate for signing Normandy actions with Autograph

RESOLVED FIXED

Status

RESOLVED FIXED
2 years ago
2 years ago

People

(Reporter: mythmon, Assigned: ulfr)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

2 years ago
Please create certificates for signing Normandy actions with Autograph. We'll probably want a certificate for both stage and prod. We also have a dev environment. Is it suitable to have a key there too?

I think the name should be "normandy-actions-signer.mozilla.org".
(Assignee)

Comment 1

2 years ago
We are namespacing under content-signature.mozilla.org so it will be:
* prod: shield.content-signature.mozilla.org (using the AMO root)
* stage: shield.content-signature.allizom.org (using the dev AMO root)
* dev: identical to stage
Flags: needinfo?(jvehent)
(Reporter)

Comment 2

2 years ago
I'd prefer to use "normandy" instead of "shield". Normandy is the general name for the code, whereas SHIELD is a product name that doesn't cover everything Normandy does. Besides that, those names look fine.
Component: SHIELD → General
Product: Websites → Normandy
(Reporter)

Updated

2 years ago
Blocks: 1248671
(Reporter)

Updated

2 years ago
Blocks: 1270618
(Assignee)

Comment 3

2 years ago
Stage configuration is in place. Once your service is deployed, we'll give you access.
We don't have a setup in DEV, but you can use the default conf provided with the github repo (I can help you install it locally if needed).

Make sure you hit the /sign/data endpoint with a request body similar to this one:

    [{"input": "...base64 raw input...", "template": "content-signature",
      "hashwith": "sha384","keyid": "normandy_user"}]
Flags: needinfo?(jvehent)
(Assignee)

Comment 4

2 years ago
Prod and stage certificates have been generated.

The prod chain is valid for 6 months and hosted at https://content-signature.cdn.mozilla.net/chains/normandy.content-signature.mozilla.org-20160610.prod.chain.

The stage chain is valid for 5 years and hosted at https://content-signature.stage.mozaws.net/chains/normandy.content-signature.mozilla.org-20210531.stage.chain.

Autograph has been configured in stage and prod with the proper signing keys.
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.