1269905 - Create certificate for signing Normandy actions with Autograph

Status: RESOLVED FIXED

(Shield :: General, defect)

Description

[Michael Cooper [:mythmon]]

Please create certificates for signing Normandy actions with Autograph. We'll probably want a certificate for both stage and prod. We also have a dev environment. Is it suitable to have a key there too?

I think the name should be "normandy-actions-signer.mozilla.org".

Comment 1

[Julien Vehent]

We are namespacing under content-signature.mozilla.org so it will be:
* prod: shield.content-signature.mozilla.org (using the AMO root)
* stage: shield.content-signature.allizom.org (using the dev AMO root)
* dev: identical to stage

Comment 2

[Michael Cooper [:mythmon]]

I'd prefer to use "normandy" instead of "shield". Normandy is the general name for the code, whereas SHIELD is a product name that doesn't cover everything Normandy does. Besides that, those names look fine.

Comment 3

[Julien Vehent]

Stage configuration is in place. Once your service is deployed, we'll give you access.
We don't have a setup in DEV, but you can use the default conf provided with the github repo (I can help you install it locally if needed).

Make sure you hit the /sign/data endpoint with a request body similar to this one:

    [{"input": "...base64 raw input...", "template": "content-signature",
      "hashwith": "sha384","keyid": "normandy_user"}]

Comment 4

[Julien Vehent]

Prod and stage certificates have been generated.

The prod chain is valid for 6 months and hosted at https://content-signature.cdn.mozilla.net/chains/normandy.content-signature.mozilla.org-20160610.prod.chain.

The stage chain is valid for 5 years and hosted at https://content-signature.stage.mozaws.net/chains/normandy.content-signature.mozilla.org-20210531.stage.chain.

Autograph has been configured in stage and prod with the proper signing keys.