mozilla-services
Return serial number of the signed certificate
As part of porting AMO over to using /sign/file endpoint I'm investigating whether or not we'll eventually be able to get rid of the signing-clients dependency.
Once ported to /sign/file the only thing that AMO still does with the XPI is extracting the certificates serial number.
I wonder if it's possible to return it in the response data of /sign/file too.
It'd be great to either decide if it's feasible to implement before AMO moves to /sign/file endpoint or if I should keep the current implementation.
An advantage would be that we don't have to open the XPI anymore after signing it which should speed-up the whole process a bit.
I'm theoretically in favor, but the implementation may be tricky. This touches the SignFile interface which only returns a signed file and an error right now. We'd have to return extra metadata as well, probably as an opaque interface{} marshaled into the API response to be future proof. It's not the ugliest design in the world, but since it break an existing interface, we may want to implement it as a new one instead, possibly SignFileWithDetails.
No, this is about pulling serialNumber from the actual pkcs7 content part (signer_info.sid.issuer.serial_number)
Gotcha, I think there were other use cases for changing the SignFile interface to return extra signer specific data (audit fields and other things that escape me at the moment).
So I think we could refactor all SignFile calls to SignFileWith{Details,Data} that returns data / details a JSON marshalable interface{} and adds it to the sign file response data structure as "extra". For existing signers it would be nil and marshal to {}.
Note to self: can use gofmt for this https://blog.golang.org/go-fmt-your-code#TOC_3.