release/signing/signing.ini.template
author Chris AtLee <catlee@mozilla.com>
Mon, 01 Apr 2019 17:26:27 +0000
changeset 8471 a41a482b78763e8159c9b3407a2e7dd37ce8d583
parent 8470 e7cfca9a2b6e63c38aa6f65042b3eeb54b7fa9f1
permissions -rw-r--r--
Bug 1531165: Remove jar signing support, and signscript imports r=aki Differential Revision: https://phabricator.services.mozilla.com/D25632

[server]
# What ip to listen on. Set this to a specific ip if you want to listen on a
# specific interface, or use 0.0.0.0 to listen on all interfaces.
listen = 0.0.0.0
# What port we listen on
port = 8080
# How long should files be kept on disk (in seconds)
max_file_age = 300
# How often should we clean up files, tokens, etc. (in seconds)
cleanup_interval = 60

[security]
# Path to private SSL key for https
private_ssl_cert = host.key
# Path to public SSL certificate for https
public_ssl_cert = host.cert
# Who is allowed to connect to this machine? This can be a comma separated
# list of ip addresses or networks like 192.168.1.2/24
allowed_ips = 0.0.0.0/0
# What filenames are acceptable to be signed? This is a comma separated list
# of regular expressions
allowed_filenames = .*
# Minimum filesize that we'll sign
min_filesize = 10
# Maximum filesize, per format. 52428800 = 50MB, 524288000 = 500MB
max_filesize_gpg = 524288000
max_filesize_dmg = 52428800
max_filesize_mar = 52428800
max_filesize_sha2signcode = 52428800
max_filesize_sha2signcodestub = 52428800
max_filesize_sha2signcode-v2 = 52428800
max_filesize_sha2signcodestub-v2 = 52428800
max_filesize_widevine = 52428800
max_filesize_widevine_blessed = 52428800
# Secret for signing tokens. This should be kept private!
# It should also be the same on all equivalent signing servers.
token_secret = secretstring
# Any key starting with 'token_secret' is also valid, to allow supporting
# multiple token secrets at the same time (to make it possible to transitioning
# to new secrets without downtime). New tokens are generated with the
# 'token_secret' value
token_secret0 = oldsecretstring
# username:password for http basic authenication for generating new tokens
new_token_auth = foo:bar
# Any key starting with 'new_token_auth' is valid
new_token_auth0 = foo:baz
# Which ips are allowed to request new tokens
new_token_allowed_ips = 127.0.0.1
# Maximum age for a token
max_token_age = 3600

[paths]
# Where we store signed files
signed_dir = signed-files
# Where we store unsigned files
unsigned_dir = unsigned-files

[signing]
# What signing formats we support
formats = mar,gpg,sha2signcode,sha2signcodestub,sha2signcode-v2,sha2signcodestub-v2,widevine,widevine_blessed
# Which script to run to sign files
signscript = python ./signscript.py -c signing.ini
# How many files to sign at once
concurrency = 4
# Test files for the various signing formats
# signscript will be run on each of these on startup to test that passphrases
# have been entered correctly
testfile_sha2signcode = test.exe
testfile_sha2signcodestub = test.exe
testfile_sha2signcode-v2 = test.exe
testfile_sha2signcodestub-v2 = test.exe
testfile_mar = test.mar
testfile_gpg = test.mar
testfile_widevine = test.tar.gz
testfile_widevine_blessed = test.exe

[signscript]
# Various settings for signscript. signing-server.py doesn't look in here
# Where are MozAuthenticode.{pvk,spc} located
sha2signcode_keydir = /path/to/keys
# Where is the gpg directory with our private key
gpg_homedir = /path/to/.gpg
# How to run mar
mar_cmd = /path/to/signmar -d /path/to/nsscerts -n keyname -s
# widevine info
widevine_key = /path/to/key.pem
widevine_cert = /path/to/cert.der
widevine_cmd = python /path/to/script --private_key %(widevine_key)s --certificate %(widevine_cert)s --input %(input)s --output_file %(output)s --flags %(blessed)s --prompt_passphrase