https://github.com/ratware-official/ratsign

Signs files with an encrypted private key and password, and verifies them using their signature file and a trusted public key or key ID.
https://github.com/ratware-official/ratsign

cli cryptography csharp dotnet signing

Last synced: about 1 month ago
JSON representation

Signs files with an encrypted private key and password, and verifies them using their signature file and a trusted public key or key ID.

• Host: GitHub
• URL: https://github.com/ratware-official/ratsign
• Owner: ratware-official
• License: other
• Created: 2025-10-21T21:16:38.000Z (8 months ago)
• Default Branch: main
• Last Pushed: 2025-10-22T16:52:29.000Z (8 months ago)
• Last Synced: 2025-10-22T18:35:43.784Z (8 months ago)
• Topics: cli, cryptography, csharp, dotnet, signing
• Language: C#
• Homepage:
• Size: 13.7 KB
• Stars: 0
• Watchers: 0
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE.md

Awesome Lists containing this project

README

          
## ratSIGN

**ratSIGN** is a command-line utility for **secure file signing and verification** based on the  

[ratCORE.Signing](https://github.com/ratware-official/ratCORE.Signing) library (ECDSA P-256 + SHA-256).  

It enables developers and release pipelines to generate cryptographically strong digital signatures,  

ensuring the authenticity and integrity of published files.

---

### 🚀 Features

- **Sign files** using encrypted private key files (`.sec.json`) and a secret password.  

- **Verify files** using their detached signature (`.ratsig`) and either:

  - a **public key** (Base64 uncompressed EC point), or  

  - a **KeyId** (`Base64(SHA256(pub))`) as trust anchor.  

- **Generate keys** securely via PBKDF2-SHA256 + AES-256-GCM encryption.  

- **Cross-platform:** works on **Windows**, **Linux**, and **macOS**.  

- **No dependencies** beyond .NET 8.

---

### 🧩 Clone with Submodules

This project uses [ratCORE.Signing](https://github.com/ratware-official/ratCORE.Signing) as a Git submodule.

To clone this repository including all dependencies, use:

```bash

git clone --recurse-submodules https://github.com/ratware-official/ratSIGN.git

```

If you've already cloned it without submodules, run:

```bash

git submodule update --init --recursive

```

---

### ⚙️ Build & Publish

Framework-dependent (requires .NET runtime to be installed):

- Windows: `dotnet publish -c Release -r win-x64 --self-contained false`

- Linux:   `dotnet publish -c Release -r linux-x64 --self-contained false`

- macOS:   `dotnet publish -c Release -r osx-arm64 --self-contained false`

Self-contained (includes .NET runtime in the binary):

- Windows: `dotnet publish -c Release -r win-x64 --self-contained true`

- Linux:   `dotnet publish -c Release -r linux-x64 --self-contained true`

- macOS:   `dotnet publish -c Release -r osx-arm64 --self-contained true`

Single-file (bundles all dependencies into one executable; avoid trimming because of reflection):

- Windows: `dotnet publish -c Release -r win-x64 --self-contained true -p:PublishSingleFile=true -p:PublishTrimmed=false`

- Linux:   `dotnet publish -c Release -r linux-x64 --self-contained true -p:PublishSingleFile=true -p:PublishTrimmed=false`

- macOS:   `dotnet publish -c Release -r osx-arm64 --self-contained true -p:PublishSingleFile=true -p:PublishTrimmed=false`

> **Note:**  

> - For *framework-dependent* builds, distribute the **entire `publish/` folder** (including `ratCORE.Signing.dll`).  

> - For *self-contained single-file* builds, distribute **only the generated executable**.

---

### 🧩 Commands Overview

| Command | Description |

|----------|-------------|

| `keygen` | Generates a new ECDSA-P256 key pair and writes an encrypted key file (`.sec.json`). |

| `sign` | Signs a file using an encrypted key file and password. Produces `.ratsig`. |

| `verify` | Verifies a file using its `.ratsig` and a trusted public key or KeyId. |

| `keyid` | Computes a KeyId (`Base64(SHA256(pub))`) for a given public key. |

| `version` | Displays version information and license details. |

---

### 🔐 Usage

```bash

ratsign [command] [options]

```

#### Generate a key

```bash

ratsign keygen --out . --iterations 300000 --name release-key

```

- Creates a password-protected key file: `ratsign_.sec.json`.

#### Sign a file

```bash

ratsign sign --file ./payload.bin --key ./release-key.sec.json --comment "release:1"

```

- Produces `payload.bin.ratsig`, containing the signature and metadata.

#### Verify a file (with public key)

```bash

ratsign verify --file ./payload.bin --sig ./payload.bin.ratsig --pub BM5X...LFfU=

```

#### Verify a file (with KeyId)

```bash

ratsign verify --file ./payload.bin --sig ./payload.bin.ratsig --keyid 8/zk...8LEs=

```

#### Compute KeyId from a public key

```bash

ratsign keyid --pub BM5X...LFfU=

```

#### Show version information

```bash

ratsign version

```

---

### ⚙️ Options Summary

#### `keygen`

| Option | Description |

|---------|-------------|

| `--out ` | Output directory for the key file (default: current). |

| `--iterations ` | PBKDF2 iterations (default: 300000). |

| `--name ` | Optional base name for the key file (default: auto from KeyId). |

#### `sign`

| Option | Description |

|---------|-------------|

| `--file ` | File to sign. |

| `--key ` | Encrypted key file. |

| `--out ` | Output signature file (default: `.ratsig`). |

| `--comment ""` | Optional comment included in the signature. |

#### `verify`

| Option | Description |

|---------|-------------|

| `--file ` | File to verify. |

| `--sig ` | Detached signature file. |

| `--pub ` | Trusted public key (uncompressed 0x04||X||Y, Base64). |

| `--keyid ` | Trusted KeyId (`Base64(SHA256(pub))`). |

#### `keyid`

| Option | Description |

|---------|-------------|

| `--pub ` | Public key to calculate KeyId from. |

---

### 🧠 Notes

- **Algorithm:** ECDSA P-256 with SHA-256  

- **Public key format:** `0x04 || X(32) || Y(32)` (uncompressed EC point, Base64-encoded)  

- **KeyId:** `Base64(SHA256(pub))` — recommended for trust verification  

- **Encryption:** AES-256-GCM with PBKDF2-SHA256 derived keys  

- **Signatures:** DER-encoded, stored as Base64 in `.ratsig` JSON

---

### 🧱 Exit Codes

| Code | Meaning |

|------|----------|

| `0` | Success (valid signature / command completed) |

| `1` | Verification failed (invalid signature or untrusted key) |

| `2` | General error (invalid arguments, I/O, crypto failure) |

---

### 🧩 Example Workflow

```bash

# Generate key

ratsign keygen --out ./keys --name build2025

# Sign file

ratsign sign --file ./release.zip --key ./keys/build2025.sec.json --comment "release build 2025"

# Verify (trusted keyid)

ratsign verify --file ./release.zip --sig ./release.zip.ratsig --keyid 8/zk...8LEs=

```

---

### 📦 Requirements

- .NET 8 Runtime or SDK  

- [ratCORE.Signing](https://github.com/ratware-official/ratCORE.Signing) library  

- Supported OS: **Windows**, **Linux**, **macOS**  

---

### 🧩 About

**ratSIGN** is part of the **ratCORE** framework — a suite of lightweight, secure, and reusable tools  

for developers and system maintainers.  

It provides an easy-to-use interface for signing and verifying digital content.

---

**License:** Creative Commons Attribution 4.0 International (CC BY 4.0)  

**Copyright © 2025 ratware**