Kinto signer is a Kinto plugin that makes it possible to sign the updates of Kinto collections. In other words, it's a way to verify that the data the client has got is the data the original authors intended to distribute.
This works with two Kinto instances:
- A, the authority (also known as "the signer"). It is where the original data are sent. The authority is configured to sign the data for a specific "origin".
- O, the origin, which will end up distributing the data and the signatures. It is where the client retrieve the data.
Once started, the authority is behaving like a normal Kinto server, until you ask for a signature of the collection. To trigger this signature operation, you need to add a specific field on the collection: status: "to-sign".
Here is how to do it with httpie:
echo '{"data": {"status": "to-sign"}}' | http PATCH http://0.0.0.0:8888/v1/buckets/default/collections/tasks --auth user:passFrom there, the authority will:
- Retrieve all records on the collection, compute a hash of the records, and generate a signature out of it.
- Send all local changes to the Origin server, with a signature.
- Update the collection metadata with
status:signed.
To install this plugin in a Kinto server, a few configuration variables need to be set.
Here is an example of what a configuration could look like:
kinto.includes = kinto_signer
kinto.signer.resources =
source/collection1;destination/collection1
source/collection2;destination/collection2| Setting name | What does it do? |
|---|---|
| kinto.signer.resources | The name of the buckets and collections on which signatures can be triggered and the destination where the data and the signatures will end-up. |
| kinto.signer.signer_backend | The python dotted location to the signer to use. By default, a local ECDSA signer will be used. Choices are either kinto_signer.signer.local_ecdsa or kinto_signer.signer.autograph Have a look at the sections below for more information. |
| Setting name | What does it do? |
|---|---|
| kinto.signer.ecdsa.private_key | Absolute path to the ECDSA private key to use to apply the signatures |
| kinto.signer.ecdsa.public_key | Absolute path to the ECDSA private key to use to verify the signature (useful if you just want to use the signer as a verifier) |
Kinto signer can integrate with the Autograph server. To do so, use the following settings:
| Setting name | What does it do? |
|---|---|
| kinto.signer.autograph.server_url | The autograph server URL |
| kinto.signer.autograph.hawk_id | The hawk identifier used to issue the requests. |
| kinto.signer.autograph.hawk_secret | The hawk secret used to issue the requests. |
To generate a new keypair, you can use the following command:
$ python -m kinto_signer.generate_keypair private.pem public.pemTo run the unit tests:
$ make testsFor the functional tests:
$ make run-signer
$ make functional