We have signing certs for payments-alt. Thanks!

@kang what is required to add a additional key to app[1-2].hsm.stage.addons.phx1.mozilla.com?

the script for key generation is on the machine as well as in your (svcops/cloudops) git internal ( git clone ssh://gitolite3@git-internal.mozilla.org/svcops/hsm ) Doc is at https://mana.mozilla.org/wiki/display/SECURITY/HSM+Operational+Procedures (and https://mana.mozilla.org/wiki/display/SECURITY/HSM+Guidelines) In more details (after a quick IRC chat): - it uses stage's CA (ie stage's cert will be used to verify the keys are valid) - you can copy stage_scripts/secworld/4_generate_key.sh to 41_generate_key_alt.sh for example then edit it: - KEY_NAME="stgaltappmarketplace" - then run the script on the stage HSM - then in certs/csr copy the necessary scripts as well and run them against the new key (likewise, edit the copies with the new key name) - then copy the csr to the stage CA and sign it with certs/ca/sign_csr.sh the resulting cert is the file you want to give back to the marketplace team also, git commit all the changes ;) ping me on IRC if you need more help

payments-alt-app-signer.marketplace.allizom.org and payments-alt-reviewer-app-signer.marketplace.allizom.org service is up. payments-alt.allizom.org SIGNED_APPS* settings updated to point to the new service. https://www.dropbox.com/s/agkljpkh8fia2em/marketplace-stage.cert.tar.gz contains the certdb.tmp that is needed to be pushed to the device.

https://github.com/mozilla/marketplace-certs for updated documentation.