{"id":19442956,"url":"https://github.com/syncom/sf-signer","last_synced_at":"2025-02-25T07:45:35.369Z","repository":{"id":37387986,"uuid":"505672980","full_name":"syncom/sf-signer","owner":"syncom","description":"A simple file signing utility using X.509 certificates, in Haskell","archived":false,"fork":false,"pushed_at":"2024-06-02T00:58:31.000Z","size":258,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-01-07T22:13:11.055Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Haskell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"bsd-3-clause","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/syncom.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-06-21T03:12:15.000Z","updated_at":"2022-11-03T16:28:05.000Z","dependencies_parsed_at":"2024-11-10T15:44:19.170Z","dependency_job_id":null,"html_url":"https://github.com/syncom/sf-signer","commit_stats":null,"previous_names":[],"tags_count":3,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/syncom%2Fsf-signer","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/syncom%2Fsf-signer/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/syncom%2Fsf-signer/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/syncom%2Fsf-signer/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/syncom","download_url":"https://codeload.github.com/syncom/sf-signer/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":240627065,"owners_count":19831592,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-10T15:41:32.765Z","updated_at":"2025-02-25T07:45:34.954Z","avatar_url":"https://github.com/syncom.png","language":"Haskell","readme":"# sf-signer: S/MIME File Signer\n\nA simple file signing utility using X509 certificates so you don't have\nto deal with `openssl`. Ubuntu Linux and MacOS are supported.\n\n## For development\n\n```bash\n# Install stack\ncurl -sSL https://get.haskellstack.org/ | sh\n# On Ubuntu install openssl headers\nsudo apt install libssl-dev\n# Build\nmake build\n# Test\nmake test\n# Clean\nmake clean\n```\n\n## How to use\n\n1. You may use the prebuilt release binaries if you are on\n`linux-x86_64` and `darwin-x86_64` platforms. Otherwise, you can always\nbuild `sfsigner` from source (the generated artifact is\n`build/sfsigner`).\n\n   ```bash\n   make build\n   ```\n\n   On Linux (Ubuntu), it's possible to build the `sfsigner` binary\n   statically\n\n   ```bash\n   make static-build\n   ```\n\n2. Sign and verify files\n\n   - Synopsis\n\n     ```text\n     A file signing utility with X.509 certificates\n\n     Usage: sfsigner (version | sign | verify)\n\n     Available options:\n       -h,--help                Show this help text\n\n     Available commands:\n       version                  Show version\n       sign                     Sign payload file.\n         Private signing key is obtained from environment variable\n         SFSIGNER_PRIVATE_KEY. Only RSA keys are supported currently.\n       verify                   Verify signature of payload file\n     ```\n\n   - Example signing commands\n\n     ```bash\n     # Set environment variable SFSIGNER_PRIVATE_KEY for private key.\n     # This is particularly useful in CI, where the environment variable\n     # can be populated from a secrets manager\n     export SFSIGNER_PRIVATE_KEY=\"$(cat /path/to/private.key)\"\n\n     # Print signature in stdout\n     build/sfsigner sign /path/to/payload_file -c /path/to/certificate\n     # Write signature to signature_file\n     build/sfsigner sign /path/to/payload_file -c /path/to/certificate -o /path/to/signature_file\n     ```\n\n   - Example signature verification commands\n\n     ```bash\n     # Use test data. Should get \"Verification: success\"\n     build/sfsigner verify test/payload.txt \\\n       --signature test/signature.pem \\\n       --cert test/certificate.pem \\\n       --cacert test/cacert.pem\n     # If cacert is not present, skip chained verification. Should get\n     # \"Verification: success\"\n     build/sfsigner verify test/payload.txt \\\n       --signature test/signature.pem \\\n       --cert test/certificate.pem\n     ```\n\n     Alternatively, signature verification can be done with `openssl smime`\n\n     ```bash\n     # Verification chained to CA cert\n     openssl smime -verify \\\n       -binary \\\n       -content test/payload.txt \\\n       -in test/signature.pem -inform PEM \\\n       -certfile test/certificate.pem \\\n       -nointern \\\n       -CAfile test/cacert.pem \\\n       -purpose any\n     # Use leaf certificate as root of trust\n     openssl smime -verify \\\n       -binary \\\n       -content test/payload.txt \\\n       -in test/signature.pem -inform PEM \\\n       -certfile test/certificate.pem \\\n       -nointern \\\n       -CAfile test/certificate.pem \\\n       -purpose any\n     ```\n\n     Currently, only RSA signing keys are supported. An example Public\n     Key Infrastructure (PKI) can be found in [test/pki/](./test/pki/),\n     where the CA certificates (`ExampleRootCA.crt`) and signer's\n     certificate (`testuser_sfsigner.example.crt`) as well as their\n     associated private keys, etc, were created using\n     [certstrap](https://github.com/square/certstrap), with the\n     following commands (and empty passwords)\n\n     ```bash\n     certstrap init --common-name \"ExampleRootCA\" --key-bits 4096\n     certstrap request-cert --common-name \"testuser@sfsigner.example\" --key-bits 4096\n     certstrap sign testuser_sfsigner.example --CA ExampleRootCA\n     ```\n\n## How to sign artifact in CI release flow\n\nPlease refer to [How to sign a release artifact in GitHub\nActions](docs/sign-artifact-in-gha.md) for a setup.\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsyncom%2Fsf-signer","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsyncom%2Fsf-signer","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsyncom%2Fsf-signer/lists"}