{"id":36954925,"url":"https://github.com/mrcarb0n/zipsignerust","last_synced_at":"2026-05-24T22:00:35.968Z","repository":{"id":327971431,"uuid":"1108709426","full_name":"MrCarb0n/zipsignerust","owner":"MrCarb0n","description":"High-performance, memory-safe cryptographic signing and verification for Android ZIP archives.","archived":false,"fork":false,"pushed_at":"2026-05-24T20:00:48.000Z","size":205,"stargazers_count":2,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"master","last_synced_at":"2026-05-24T21:26:09.936Z","etag":null,"topics":["android","apk","cryptography","jar","rust","signing","tool","verification","zip"],"latest_commit_sha":null,"homepage":"https://github.com/MrCarb0n/zipsignerust","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/MrCarb0n.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-12-02T20:12:17.000Z","updated_at":"2026-05-24T20:00:50.000Z","dependencies_parsed_at":"2026-05-24T22:00:33.560Z","dependency_job_id":null,"html_url":"https://github.com/MrCarb0n/zipsignerust","commit_stats":null,"previous_names":["mrcarb0n/zipsignerust"],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/MrCarb0n/zipsignerust","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MrCarb0n%2Fzipsignerust","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MrCarb0n%2Fzipsignerust/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MrCarb0n%2Fzipsignerust/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MrCarb0n%2Fzipsignerust/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/MrCarb0n","download_url":"https://codeload.github.com/MrCarb0n/zipsignerust/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MrCarb0n%2Fzipsignerust/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33452033,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-24T19:21:36.376Z","status":"ssl_error","status_checked_at":"2026-05-24T19:21:10.562Z","response_time":57,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["android","apk","cryptography","jar","rust","signing","tool","verification","zip"],"created_at":"2026-01-13T13:00:35.353Z","updated_at":"2026-05-24T22:00:35.951Z","avatar_url":"https://github.com/MrCarb0n.png","language":"Rust","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cdiv align=\"center\"\u003e\n\n# ZipSignerust\n\n**High-performance, memory-safe cryptographic signing and verification for Android ZIP archives.**\n\n[![License: GPL v3](https://img.shields.io/badge/License-GPLv3-blue.svg)](https://www.gnu.org/licenses/gpl-3.0) [![Rust](https://img.shields.io/badge/Language-Rust-orange.svg)](https://www.rust-lang.org/) [![Version](https://img.shields.io/badge/version-1.0.0-blue.svg)](https://github.com/MrCarb0n/zipsignerust/releases) \n\u003c/div\u003e\n\n---\n\n**ZipSignerust** is a deterministic, high-performance tool written in Rust to sign and verify Android ZIP archives. It ensures reproducible builds by using certificate creation timestamps and supports recursive signing of nested ZIP archives.\n\n## 🚀 Key Features\n\n- **⚡ High Performance:** Written in pure Rust for maximum speed and memory safety with optimized allocation using `mimalloc`.\n- **🔒 Deterministic timestamps:** Uses the certificate's creation date for all ZIP entries (reproducible builds).\n- **🔍 Recursive Signing:** Automatically detects and signs nested `.zip` files inside archives.\n- **🛡️ Secure:** Uses industry-standard cryptography (RSA, SHA-1/SHA-256) for signature generation and verification.\n- **💾 In-Place Signing:** Smart `--inplace` mode with automatic backup for efficient workflow.\n- **🔑 Flexible Keys:** Use your own PK8/PEM keys or fallback to embedded developer keys for quick testing.\n- **✅ Comprehensive Verification:** Verify the integrity and authenticity of existing archives with detailed validation.\n- **🎨 Enhanced UI:** Beautiful colored output with progress bars and structured formatting for better user experience.\n- **🔌 Pipeline Support:** Full stdin/stdout support for integration in automated workflows.\n- **📦 Integrity Validation:** Built-in ZIP integrity checking with CRC verification.\n- **🔧 Cross-platform:** Works seamlessly across Linux, macOS, and Windows.\n- **⚡ Parallel Processing:** Leverages `rayon` for optimized performance on multi-core systems.\n- **🔐 Security First:** Built with secure-by-default cryptography using the `ring` crate for cryptographic operations.\n- **📊 Progress Tracking:** Visual progress bars for long-running operations with detailed ETA estimation.\n- **🔄 Reproducible Builds:** Deterministic signing ensuring identical outputs for identical inputs.\n\n## 📦 Installation\n\n### From Binaries\n\nDownload the pre-built binary for your platform from the [Releases](https://github.com/MrCarb0n/zipsignerust/releases) page.\n\n### From Source\n\n```bash\n# Clone the repository\ngit clone https://github.com/MrCarb0n/zipsignerust.git\ncd zipsignerust\n\n# Build with cargo\ncargo build --release\n\n# Binary will be at target/release/zipsignerust\n```\n\n## 🛠️ Usage\n\n### Sign an Archive\n\n```bash\n# Basic signing (creates output file)\nzipsignerust sign input.zip signed-output.zip\n\n# Sign in-place (updates input file, creates .bak backup)\nzipsignerust sign --inplace input.zip\n\n# Custom keys\nzipsignerust sign input.zip output.zip --private-key key.pem --public-key cert.pem\n\n# Verbose mode with colorful output and progress indicators\nzipsignerust -v sign input.zip output.zip\n\n# Pipeline support: read from stdin and write to stdout\ncat input.zip | zipsignerust sign - - \u003e signed_output.zip\n```\n\n### Example Output\n\nWhen using verbose mode, ZipSignerust provides colorful, structured output:\n\n```\n+-----------------------+\n|  ZipSignerust v1.0.0  |\n+-----------------------+\n[i] Loading keys...\n\n-- SIGNING MODE --\n[i] Source: input.zip\n[i] Target: output.zip\n[i] Computing digests...\n[i] Signing artifact...\n[v] Timestamp used: 2066-06-06 00:06:06 UTC\n[v] mtime set on output: output.zip\n[+] Archive successfully signed.\n\nSigning Report:\n  Status          Success\n  Mode            Standard\n  Input           input.zip\n  Output          output.zip\n  Key Used        ZipSignerust Dev\n```\n\n### Verify an Archive\n\n```bash\n# Verify signature integrity\nzipsignerust verify signed-archive.zip\n\n# Verify with verbose output (shows detailed validation)\nzipsignerust -v verify signed-archive.zip\n\n# Verify against specific certificate\nzipsignerust verify signed-archive.zip --public-key my-cert.pem\n```\n\n### Verification Capabilities\n\nZipSignerust performs comprehensive verification including:\n\n- **Signature Validity:** Validates RSA signature against the certificate\n- **Manifest Integrity:** Ensures manifest hashes match actual files\n- **Entry Consistency:** Verifies all files have corresponding entries\n- **Digest Verification:** Checks SHA-1 digests for each file\n- **Structure Validation:** Ensures proper JAR signing format\n- **Integrity Check:** Performs CRC verification on all entries\n\n### Pipeline Support\n\nZipSignerust supports Unix-style pipelines for seamless integration in automated workflows:\n\n- Use `-` as input to read from stdin\n- Use `-` as output to write to stdout\n- Examples:\n  - Basic pipeline: `cat input.zip | zipsignerust sign - - \u003e signed.zip`\n  - Complex workflow: `zip -v -r -9 -Z bzip2 - * | zipsignerust sign - output.zip`\n- Progress indicators and colored output work in pipeline mode too when using verbose flag\n\n## ⚙️ Advanced Options\n\n| Option                | Description                                            |\n| :-------------------- | :----------------------------------------------------- |\n| `-i`, `--inplace`     | Modify the input file directly (creates `.bak` backup) |\n| `-f`, `--overwrite`   | Force overwrite if output file exists                  |\n| `-k`, `--private-key` | Path to custom private key (PEM/PK8)                   |\n| `-p`, `--public-key`  | Path to custom public key/certificate (PEM)            |\n| `-v`, `--verbose`     | Enable verbose logging with progress indicators        |\n| `-q`, `--quiet`       | Suppress all output except errors                      |\n| `-V`, `--version`     | Print version information                              |\n\n## 🎨 Enhanced UI Features\n\nZipSignerust features a modern, colorful terminal interface with:\n\n- **Color-coded output** for different message types (success, warnings, errors, info)\n- **Progress bars** for long-running operations (when using `--verbose`)\n- **Structured tables** for displaying key-value information\n- **Improved banners** and headers for better visual organization\n- **Cross-platform color support** (including Windows terminal compatibility)\n\n## 🧩 How It Works\n\n1.  **Digest Computation:** Computes SHA-1 digests for all files in the archive, excluding signature files.\n2.  **Manifest Generation:** Creates `META-INF/MANIFEST.MF` with file paths and their SHA-1 digests.\n3.  **Signature File:** Creates `META-INF/CERT.SF` containing digests of the manifest entries.\n4.  **RSA Signature:** Creates `META-INF/CERT.RSA` with the RSA signature of the SF file.\n5.  **Nested Processing:** Recursively processes nested ZIP files within the archive, ensuring they're signed before the parent archive.\n6.  **Integrity Validation:** Performs CRC checks on all entries to ensure file integrity.\n7.  **Timestamp Setting:** Applies consistent timestamps for reproducible builds.\n\n## 📄 License\n\nThis project is licensed under the [GNU General Public License v3.0](LICENSE).\n\n---\n\n\u003cdiv align=\"center\"\u003e\nMade with ❤️ from Bangladesh 🇧🇩\n\u003c/div\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmrcarb0n%2Fzipsignerust","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmrcarb0n%2Fzipsignerust","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmrcarb0n%2Fzipsignerust/lists"}