Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/sassoftware/relic

Relic is a service and a tool for adding digital signatures to operating system packages for Linux and Windows
https://github.com/sassoftware/relic

Last synced: 3 months ago
JSON representation

Relic is a service and a tool for adding digital signatures to operating system packages for Linux and Windows

Host: GitHub
URL: https://github.com/sassoftware/relic
Owner: sassoftware
License: apache-2.0
Created: 2017-06-21T20:24:56.000Z (over 7 years ago)
Default Branch: master
Last Pushed: 2024-05-14T21:52:14.000Z (6 months ago)
Last Synced: 2024-05-15T17:37:45.675Z (6 months ago)
Language: Go
Size: 5.35 MB
Stars: 145
Watchers: 16
Forks: 39
Open Issues: 9
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

README

relic is a multi-tool and server for package signing and working with hardware security modules (HSMs).

# Package types
* RPM - RedHat packages
* DEB - Debian packages
* JAR - Java archives
* EXE (PE/COFF) - Windows executable
* MSI - Windows installer
* appx, appxbundle - Windows universal application
* CAB - Windows cabinet file
* CAT - Windows security catalog
* XAP - Silverlight and legacy Windows Phone applications
* PS1, PS1XML, MOF, etc. - Microsoft Powershell scripts and modules
* manifest, application - Microsoft ClickOnce manifest
* VSIX - Visual Studio extension
* Mach-O - macOS/iOS signed executables
* DMG, PKG - macOS disk images / installer packages
* APK - Android package
* PGP - inline, detached or cleartext signature of data

# Token types
relic can work with several types of token:

* pkcs11 - Industry standard PKCS#11 HSM interface using shared object files
* Cloud services - AWS, Azure and Google Cloud managed keys
* scdaemon - The GnuPG scdaemon service can enable access to OpenPGP cards (such as Yubikey NEO)
* file - Private keys stored in a password-protected file

# Features
Relic is primarily meant to operate as a signing server, allowing clients to authenticate with a TLS certificate and sign packages remotely. It can also be used as a standalone signing tool.

Other features include:

* Generating and importing keys in the token
* Importing certificate chains from a PKCS#12 file
* Creating X509 certificate signing requests (CSR) and self-signed certificates
* Limited X509 CA support -- signing CSRs and cross-signing certificates
* Creating simple PGP public keys
* RSA and ECDSA supported for all non-PGP signature types (due to a limitation in the underlying PGP implementation, ECDSA is not currently possible for PGP signature types)
* Verify signatures, certificate chains and timestamps on all supported package types
* Save token PINs in the system keyring

# Platforms
Linux, Windows and MacOS are supported. Other platforms probably work as well.

relic is tested using libsofthsm2. Every vendor PKCS#11 implementation has quirks, so if relic doesn't work with your hardware please submit a pull request.

# Installation
Pre-built client binaries are available from the Github releases page. Alternately, relic can be built from source:

```go install github.com/sassoftware/relic/v8@latest```

The following build tags are also available:

* clientonly - build a lightweight binary without standalone signing features

See [doc/relic.yml](./doc/relic.yml) for an example configuration.

# Additional documentation

* [Signing Android packages](./doc/android.md)
* [Signing MacOS binaries](./doc/macos.md)
* [Using Azure Key Vault](./doc/azure.md)
* [Using a PGP card, YubiKey etc.](./doc/pgpcard.md)

# Related projects
* SoftHSMv2 - file-based PKCS#11 implementation for testing https://github.com/opendnssec/SoftHSMv2
* uts-server - timestamping server for testing https://github.com/kakwa/uts-server
* osslsigncode - Signs EXEs, MSIs, and CABs using openssl https://sourceforge.net/projects/osslsigncode/
* fb-util-for-appx - Builds signed APPX archives https://github.com/facebook/fb-util-for-appx
* OpenVsixSignTool - Sign VSIX extensions using an Azure key vault https://github.com/vcsjones/OpenVsixSignTool

# Reference specifications
* PE/COFF specification - https://www.microsoft.com/en-us/download/details.aspx?id=19509
* Authenticode PE specification - http://download.microsoft.com/download/9/c/5/9c5b2167-8017-4bae-9fde-d599bac8184a/Authenticode_PE.docx
* Microsoft ClickOnce manifest structure - https://msdn.microsoft.com/en-us/library/dd947276(v=office.12).aspx
* Microsoft Compound File format (for MSI) - https://msdn.microsoft.com/en-us/library/dd942138.aspx
* Alternate reference for compound document format from OpenOffice - https://www.openoffice.org/sc/compdocfileformat.pdf