Snapshot version 8 from main.

.github/workflows/prerequisites.yml

@@ -5,7 +5,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Setup Go 1.16
-      uses: actions/setup-go@v1
+      uses: actions/setup-go@v2
       with:
         go-version: '1.16'
 
@@ -27,7 +27,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Setup Go 1.16
-      uses: actions/setup-go@v1
+      uses: actions/setup-go@v2
       with:
         go-version: '1.16'
 
@@ -43,12 +43,15 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Setup Go 1.16
-      uses: actions/setup-go@v1
+      uses: actions/setup-go@v2
       with:
         go-version: '1.16'
 
     - name: Checkout the repository
       uses: actions/checkout@v2
 
     - name: Run the tests
-      run: go test ./...
+      run: make test
+
+    - name: Run the build
+      run: make build

.gitignore

@@ -1,3 +1,4 @@
+/amppkg
 /amppkg.toml
 /main
 /fuzz_httpreq/fuzz.zip

Makefile

@@ -0,0 +1,36 @@
+BRANCH    ?= $(shell git rev-parse --abbrev-ref HEAD)
+BUILDDATE ?= $(shell date --iso-8601=seconds)
+REVISION  ?= $(shell git rev-parse HEAD)
+VERSION   ?= $(shell git log --date=short --pretty=format:'%h@%cd' -n 1 .)
+
+GOOPTS ?=
+ifneq (,$(wildcard vendor))
+	GOOPTS := $(GOOPTS) -mod=vendor
+endif
+
+VERSION_LDFLAGS := \
+  -X github.com/prometheus/common/version.Branch=$(BRANCH) \
+  -X github.com/prometheus/common/version.BuildDate=$(BUILDDATE) \
+  -X github.com/prometheus/common/version.Revision=$(REVISION) \
+  -X github.com/prometheus/common/version.Version=$(VERSION)
+
+all: test build
+
+.PHONY: test
+test:
+	go test $(GOOPTS) ./...
+
+build: amppkg
+
+.PHONY: amppkg
+amppkg:
+	go build $(GOOPTS) -ldflags "$(VERSION_LDFLAGS)" -o amppkg ./cmd/amppkg/...
+
+.PHONY: update-go-deps
+update-go-deps:
+	@for m in $$(go list -mod=readonly -m -f '{{ if and (not .Indirect) (not .Main)}}{{.Path}}{{end}}' all); do \
+		go get $$m; \
+	done
+ifneq (,$(wildcard vendor))
+	go mod vendor
+endif

README.md

@@ -31,34 +31,16 @@ own and can obtain certificates for.
 
 ##### Manual installation
 
-  1. Install Go version 1.10 or higher. Optionally, set
-     [$GOPATH](https://github.com/golang/go/wiki/GOPATH) to something (default
-     is `~/go`) and/or add `$GOPATH/bin` to `$PATH`.
+  1. Install Go version 1.13 or higher.
   1. Get amppackager.
 
-     Check your Go version by running `go version`.
-
-     For Go 1.16 and higher run:
-
        ```
        git clone https://github.com/ampproject/amppackager.git my-amp-directory
        cd my-amp-directory
-       go install github.com/ampproject/amppackager/cmd/amppkg
-       ```
-
-     For Go 1.14 and Go 1.15 run:
-
-       ```
-       go get -u github.com/ampproject/amppackager/cmd/amppkg
-       ```
-
-     For Go 1.13 and earlier versions run:
-
-       ```
-       go get -u -mod=vendor github.com/ampproject/amppackager/cmd/amppkg
+       make build
        ```
 
-  1. Optionally, move the built `~/go/bin/amppkg` wherever you like.
+  1. Optionally, move the built `amppkg` wherever you like.
   1. Prepare a temporary certificate and private key pair to use for signing the
      exchange when testing your config. Follow WICG
      [instructions](https://github.com/WICG/webpackage/tree/master/go/signedexchange#creating-our-first-signed-exchange)
@@ -218,8 +200,22 @@ Running `amppkg` with the `-invalidcert` flag will skip the check for
 `-development` flag.
 
 Chrome can be configured to allow these invalid certificates with the
-*Allow Signed HTTP Exchange certificates without extension* experiment:
-chrome://flags/#allow-sxg-certs-without-extension
+`--ignore-certificate-errors-spki-list` command line flag:
+
+```
+google-chrome --ignore-certificate-errors-spki-list=<hashes> --user-data-dir=<dir>
+```
+
+where `<hashes>` is a comma separated list of Base64-encoded SHA-256 SPKI
+Fingerprints and it is necessary to specify `--user-data-dir` with a valid or
+creatable directory `<dir>` when `--ignore-certificate-errors-spki-list` is
+used.
+
+As an example, the hash for a PEM certificate can be obtained with OpenSSL:
+
+```
+openssl x509 -pubkey -noout -in mycert.crt | openssl pkey -pubin -outform der | openssl sha256 -binary | openssl base64
+```
 
 #### Redundancy
 
@@ -297,8 +293,8 @@ You can monitor the packager's error rates, as well as the rates of signed
 vs unsigned documents, via the tools discussed in the next section.
 
 Specifically, you can monitor the requests that resulted in a signed or an
-unsigned document via `documents_signed_vs_unsigned` metric, and the ones that
-resulted in an error - via `total_requests_by_code_and_url` metric.
+unsigned document via `amppackager_signer_documents_total` metric, and the ones that
+resulted in an error - via `amppackager_http_duration_seconds_count` metric.
 
 #### Monitoring `amppackager` in production via its Prometheus endpoints
 

cmd/amppkg/main.go

@@ -25,10 +25,13 @@ import (
 	"log"
 	"net/http"
 	"net/url"
+	_ "net/http/pprof"
 	"time"
 
 	"github.com/pkg/errors"
+	"github.com/prometheus/client_golang/prometheus"
 	"github.com/prometheus/client_golang/prometheus/promhttp"
+	"github.com/prometheus/common/version"
 
 	"github.com/ampproject/amppackager/packager/certcache"
 	"github.com/ampproject/amppackager/packager/certloader"
@@ -67,7 +70,13 @@ func (this logIntercept) ServeHTTP(resp http.ResponseWriter, req *http.Request)
 //  - It exposes an API that allows people to sign any URL as any other URL.
 //  - It is in cleartext.
 func main() {
+	prometheus.MustRegister(version.NewCollector("amppackager"))
+	showVersion := flag.Bool("version", false, "Print version info")
+
 	flag.Parse()
+	if *showVersion {
+		die(version.Print("amppackager"))
+	}
 	if *flagConfig == "" {
 		die("must specify --config")
 	}
@@ -164,7 +173,7 @@ func main() {
 	}
 
 	// TODO(twifkak): Add monitoring (e.g. per the above Cloudflare blog).
-
+	log.Println("Starting amppackager", version.Info())
 	log.Println("Serving on port", config.Port)
 
 	// TCP keep-alive timeout on ListenAndServe is 3 minutes. To shorten,

deploy/gcloud/Dockerfile.consumer

@@ -16,7 +16,7 @@
 # as a guide.
 
 # Use an official Go runtime as a parent image
-FROM golang:1.13 as builder
+FROM golang:1.16 as builder
 
 ENV GO111MODULE=on
 
@@ -27,8 +27,8 @@ RUN apt-get update \
 
 WORKDIR /data
 
-# Run this if you clone from master branch.
-RUN git clone -b master https://github.com/ampproject/amppackager.git /data/amppackager
+# Run this if you clone from main branch.
+RUN git clone -b main https://github.com/ampproject/amppackager.git /data/amppackager
 # RUN git clone https://github.com/ampproject/amppackager.git /data/amppackager
 
 WORKDIR /data/amppackager/cmd/amppkg

deploy/gcloud/Dockerfile.renewer

@@ -16,7 +16,7 @@
 # as a guide.
 
 # Use an official Go runtime as a parent image
-FROM golang:1.13 as builder
+FROM golang:1.16 as builder
 
 ENV GO111MODULE=on
 
@@ -27,8 +27,8 @@ RUN apt-get update \
 
 WORKDIR /data
 
-# Run this if you clone from master branch.
-RUN git clone -b master https://github.com/ampproject/amppackager.git /data/amppackager
+# Run this if you clone from main branch.
+RUN git clone -b main https://github.com/ampproject/amppackager.git /data/amppackager
 # RUN git clone https://github.com/ampproject/amppackager.git /data/amppackager
 
 WORKDIR /data/amppackager/cmd/amppkg

deploy/gcloud/README.md

@@ -52,6 +52,27 @@ The following information is required to be entered into setup.sh:
   8. ACME_EMAIL_ADDRESS. The email address you used for your [Digicert ACME Account](https://docs.digicert.com/manage-certificates/certificate-profile-options/get-your-signed-http-exchange-certificate/).
 
   9. ACME_DIRECTORY_URL.  The [ACME API Directory URL](https://docs.digicert.com/certificate-tools/acme-user-guide/acme-directory-urls-signed-http-exchange-certificates/).  Note that this URL is security sensitive so do not check in any files that contain this into Github.
+  DigiCert has deprecated access to the old style ACME Directory URL from CertCentral UI in order to transition to using EAB/HMAC (which we will support in a future release). In the meantime, you can retrieve the old style ACME Directory URL using:
+
+      curl --location --request POST 'https://www.digicert.com/services/v2/key/acme-url' --header 'X-DC-DEVKEY: $YOUR_DEV_KEY' --header 'Content-Type: application/json' --data-raw '{
+      "name": "myTest",
+      "product_name_id": "ssl_plus",
+      "organization_id": "$YOUR_ORG_ID",
+      "order_validity_days": "350",
+      "validity_days": "90",
+      "container_id": "$YOUR_CONTAINER_ID",
+      "profile_option": "http_signed_exchange",
+      "external_account_binding": false}'
+
+   $YOUR_DEV_KEY can be found [here](https://www.digicert.com/secure/automation/api-keys/). Add with no restrictions.
+
+   $YOUR_ORG_ID can be found [here](https://www.digicert.com/secure/organizations/).
+
+   $YOUR_CONTAINER_ID can be generated using:
+
+      curl -X GET https://www.digicert.com/services/v2/container \
+         -H 'Content-Type: application/json' \
+         -H 'X-DC-DEVKEY: $YOUR_DEV_KEY'
 
 The following information can be customized in setup.sh, but the default also works fine:
 

docker/Dockerfile

@@ -13,13 +13,13 @@
 # limitations under the License.
 
 # Use an official Go runtime as a parent image
-FROM golang:1.13
+FROM golang:1.16
 
 ENV GO111MODULE=on
 
 # Install AMP Packager
-# Run this if you want to go off master branch.
-# RUN go get -v github.com/ampproject/amppackager/cmd/amppkg@master
+# Run this if you want to go off main branch.
+# RUN go get -v github.com/ampproject/amppackager/cmd/amppkg@main
 RUN go get -v github.com/ampproject/amppackager/cmd/amppkg
 
 # Install git

go.mod

@@ -3,33 +3,22 @@ module github.com/ampproject/amppackager
 go 1.13
 
 require (
-	github.com/WICG/webpackage v0.0.0-20190215052515-70386c3750f2
-	github.com/ampproject/amphtml v0.0.0-20180912232012-d3df64d07ae9
-	github.com/go-acme/lego/v3 v3.2.0
-	github.com/gofrs/flock v0.7.1
-	github.com/golang/protobuf v1.4.1
-	github.com/google/go-cmp v0.5.0
+	github.com/WICG/webpackage v0.0.0-20210623222345-39b429db6dac
+	github.com/ampproject/amphtml v0.0.0-20210802160724-a648a87e5643
+	github.com/go-acme/lego/v4 v4.4.0
+	github.com/gofrs/flock v0.8.1
+	github.com/golang/protobuf v1.5.2
+	github.com/google/go-cmp v0.5.6
 	github.com/kylelemons/godebug v1.1.0
-	github.com/pelletier/go-toml v1.1.0
-	github.com/pkg/errors v0.8.1
-	github.com/pquerna/cachecontrol v0.0.0-20180306154005-525d0eb5f91d
-	github.com/prometheus/client_golang v1.1.0
-	github.com/stretchr/testify v1.4.0
+	github.com/pelletier/go-toml v1.9.3
+	github.com/pkg/errors v0.9.1
+	github.com/pquerna/cachecontrol v0.1.0
+	github.com/prometheus/client_golang v1.11.0
+	github.com/prometheus/common v0.30.0
+	github.com/stretchr/testify v1.7.0
 	github.com/twifkak/crypto v0.0.0-20210326012946-1fce8924335d
-	golang.org/x/crypto v0.0.0-20190701094942-4def268fd1a4
-	golang.org/x/net v0.0.0-20210226172049-e18ecbb05110
-	google.golang.org/grpc v1.27.0
-	google.golang.org/protobuf v1.25.0
-	gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 // indirect
-	gopkg.in/square/go-jose.v2 v2.3.1
+	golang.org/x/crypto v0.0.0-20210711020723-a769d52b0f97
+	golang.org/x/net v0.0.0-20210726213435-c6fcb2dbf985
+	google.golang.org/grpc v1.39.0
+	gopkg.in/square/go-jose.v2 v2.6.0
 )
-
-replace github.com/davecgh/go-spew => github.com/davecgh/go-spew v1.1.0
-
-replace github.com/stretchr/testify => github.com/stretchr/testify v1.2.1
-
-replace golang.org/x/crypto => golang.org/x/crypto v0.0.0-20180820150726-614d502a4dac
-
-replace golang.org/x/net => golang.org/x/net v0.0.0-20180808004115-f9ce57c11b24
-
-replace golang.org/x/text => golang.org/x/text v0.3.0