Autograph Credentials#
Autograph uses hawk for authentication. Each hawk
user, has access to
one or more autograph signers. When making a signing request,
signingscript can choose which signer to use by specifying a keyid
. If
no keyid
is specified, Autograph will use the “default” signer.
Note
It’s not entirely clear how Autograph chooses a default signer. Therefore
it’s best practice to always specify a keyid
in signingscript. This also
makes it more explicit about which signer is being used when reading the
signingscript configs.
Unfortunately, signingscript
often relies on this default behaviour, which
means it isn’t possible to tell what signer is being used under the hood, just
by reading the configs. One possibility for finding this information, is to
trace back to the original request, and hope that it was left in a bug comment
or similar.
Luckily there’s a better option. Hal maintains some dumps of the Autograph
database in a datasette dashboard. Specifically this view maps hawk
user to signer
. The default signer is (likely) the record with the lowest
rowId
.