{"id":24648575,"url":"https://github.com/archlinux/signstar","last_synced_at":"2025-06-28T06:06:33.303Z","repository":{"id":70804992,"uuid":"237777653","full_name":"archlinux/signstar","owner":"archlinux","description":"A secure enclave signing solution (read-only mirror)","archived":false,"fork":false,"pushed_at":"2025-06-27T13:28:26.000Z","size":1162,"stargazers_count":7,"open_issues_count":0,"forks_count":6,"subscribers_count":10,"default_branch":"main","last_synced_at":"2025-06-27T14:34:20.700Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"https://gitlab.archlinux.org/archlinux/signstar","language":"Rust","has_issues":false,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/archlinux.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSES/Apache-2.0.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":".gitlab/CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2020-02-02T13:46:21.000Z","updated_at":"2025-06-27T13:01:25.000Z","dependencies_parsed_at":null,"dependency_job_id":"52e9460a-2774-4606-9602-8c52a35da7d8","html_url":"https://github.com/archlinux/signstar","commit_stats":null,"previous_names":[],"tags_count":40,"template":false,"template_full_name":null,"purl":"pkg:github/archlinux/signstar","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/archlinux%2Fsignstar","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/archlinux%2Fsignstar/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/archlinux%2Fsignstar/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/archlinux%2Fsignstar/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/archlinux","download_url":"https://codeload.github.com/archlinux/signstar/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/archlinux%2Fsignstar/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":262382742,"owners_count":23302297,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-01-25T16:58:45.825Z","updated_at":"2025-06-28T06:06:33.294Z","avatar_url":"https://github.com/archlinux.png","language":"Rust","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Signstar\n\nThis project provides tools and documentation for running a generic signing enclave with the help of one or more [Nitrokey NetHSM] devices.\n\nRaw cryptographic signatures and [OpenPGP data signatures] are supported.\n\n## Components\n\nSignstar consists of several loosely coupled components, some of which are used in conjunction with one another.\n\n- [nethsm]: A library to provide interaction with the [Nitrokey NetHSM] to applications\n- [nethsm-backup]: A library to parse, decrypt, validate and browse [NetHSM backups]\n- [nethsm-cli]: A dedicated commandline interface to the [Nitrokey NetHSM], akin to Nitrokey's [pynitrokey], useful for general purpose, interactive use of the HSM\n- [nethsm-config]: A library for working with application configuration files for [Nitrokey NetHSM] devices\n- [signstar-common]: Shared components and data types for Signstar tools and libraries\n- [signstar-config]: Configuration file handling for Signstar hosts\n- [signstar-configure-build]: A commandline interface for the configuration of Signstar system during build-time\n- *signstar-configure*: An executable, that allows non-interactive configuration of a [Nitrokey NetHSM] based on a configuration ([#48])\n- [signstar-request-signature]: An executable, run on a client host, that prepares data to be signed and retrieves a signature for it from a Signstar setup\n- [signstar-sign]: An executable, that allows signing of messages with the help of a [Nitrokey NetHSM], based on a configuration\n\n## Requirements\n\nA Signstar setup requires a [TPM-2.0]-enabled host, allowing to run [SignstarOS] which provides a read-only root filesystem and an encrypted `/var` partition for its state.\nThis signing service host is connected to one or more [Nitrokey NetHSM] devices over an otherwise secluded network and exposes *signstar-sign* to clients of the signing service.\n\nClients use *signstar-request-signature* to connect to a Signstar setup and retrieve a signature for a provided payload.\n\n```mermaid\n---\ntitle: Simplified overview of a Signstar setup\n---\nsequenceDiagram\n    participant C as Client\n    participant S as Signstar\n    participant N as NetHSM\n\n    Note over S: pair of Signstar credentials\n    Note over N: pair of NetHSM credentials\n\n    S -\u003e\u003e N: HSM is configured using *signstar-configure*\n    C -\u003e\u003e+ S: User \"A\" requests signature using *signstar-request-signature*\n    S -\u003e\u003e S: Host user \"A\" is mapped to HSM operator user \"X\" by *signstar-sign*\n    S -\u003e\u003e N: Signature is requested using operator user \"X\" by *signstar-sign*\n    N -\u003e\u003e S: Raw cryptographic signature is received by *signstar-sign*\n    S -\u003e\u003e- C: Signature for user \"A\" is returned by *signstar-sign*\n```\n\nFurther details on the setup, as well as the threat model that the setup operates under can be found in the [design documentation].\n\n## Packaging\n\nThe `justfile` contains recipes for generating integration useful for packaging:\n\n- `just generate shell_completions nethsm-cli` generates shell completions for [nethsm-cli] to `$CARGO_TARGET_DIR/output/shell_completions/` (or to `$PWD/output/shell_completions/` if `$CARGO_TARGET_DIR` is unset)\n- `just generate manpages nethsm-cli` generates man pages for [nethsm-cli] to`$CARGO_TARGET_DIR/output/manpages/` (or to `$PWD/output/manpages/` if `$CARGO_TARGET_DIR` is unset)\n\nThe target directory is created automatically.\n\n## Releases\n\nReleases of [components] are created by the developers of this project.\n\n[OpenPGP certificates] with the following [OpenPGP fingerprints] can be used to verify signed tags:\n\n- [`991F6E3F0765CF6295888586139B09DA5BF0D338`] ([David Runge] \u0026lt;\u003cdvzrv@archlinux.org\u003e\u0026gt;)\n- [`653909A2F0E37C106F5FAF546C8857E0D8E8F074`] ([Wiktor Kwapisiewicz] \u0026lt;\u003cwiktor@archlinux.org\u003e\u0026gt;)\n\nSome of the above are part of [archlinux-keyring] and certified by at least three [main signing keys] of the distribution.\nAll certificate are cross-signed and can be retrieved from [OpenPGP keyservers].\n\n## Contributing\n\nPlease refer to the [contributing guidelines] to learn how to contribute to this project.\n\n## License\n\nThis project may be used under the terms of the [Apache-2.0] or [MIT] license.\n\nChanges to this project - unless stated otherwise - automatically fall under the terms of both of the aforementioned licenses.\n\n[#48]: https://gitlab.archlinux.org/archlinux/signstar/-/issues/48\n[Apache-2.0]: https://www.apache.org/licenses/LICENSE-2.0\n[David Runge]: https://archlinux.org/people/developers/#dvzrv\n[MIT]: https://opensource.org/licenses/MIT\n[NetHSM backups]: https://docs.nitrokey.com/nethsm/administration#backup\n[Nitrokey NetHSM]: https://www.nitrokey.com/products/nethsm\n[OpenPGP certificates]: https://openpgp.dev/book/certificates.html\n[OpenPGP data signatures]: https://openpgp.dev/book/signing_data.html\n[OpenPGP fingerprints]: https://openpgp.dev/book/certificates.html#fingerprint\n[OpenPGP keyservers]: https://wiki.archlinux.org/title/OpenPGP#Keyserver\n[SignstarOS]: resources/mkosi/signstar/README.md\n[TPM-2.0]: https://en.wikipedia.org/wiki/Trusted_Platform_Module\n[Wiktor Kwapisiewicz]: https://archlinux.org/people/support-staff/#wiktor\n[`653909A2F0E37C106F5FAF546C8857E0D8E8F074`]: https://pgpkeys.eu/pks/lookup?search=653909A2F0E37C106F5FAF546C8857E0D8E8F074\u0026fingerprint=on\u0026op=index\n[`991F6E3F0765CF6295888586139B09DA5BF0D338`]: https://pgpkeys.eu/pks/lookup?search=991F6E3F0765CF6295888586139B09DA5BF0D338\u0026fingerprint=on\u0026op=index\n[archlinux-keyring]: https://gitlab.archlinux.org/archlinux/archlinux-keyring\n[components]: #components\n[contributing guidelines]: CONTRIBUTING.md\n[design documentation]: resources/docs/design.md\n[main signing keys]: https://archlinux.org/master-keys/\n[nethsm-backup]: nethsm-backup/\n[nethsm-cli]: nethsm-cli/\n[nethsm-config]: nethsm-config/\n[nethsm]: nethsm/\n[pynitrokey]: https://github.com/Nitrokey/pynitrokey\n[signstar-common]: signstar-common/\n[signstar-config]: signstar-config/\n[signstar-configure-build]: signstar-configure-build/\n[signstar-request-signature]: signstar-request-signature/\n[signstar-sign]: signstar-sign/\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Farchlinux%2Fsignstar","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Farchlinux%2Fsignstar","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Farchlinux%2Fsignstar/lists"}