relic

command module
v7.6.2 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Feb 5, 2024 License: Apache-2.0 Imports: 29 Imported by: 0

README

relic is a multi-tool and server for package signing and working with hardware security modules (HSMs).

Package types

  • RPM - RedHat packages
  • DEB - Debian packages
  • JAR - Java archives
  • EXE (PE/COFF) - Windows executable
  • MSI - Windows installer
  • appx, appxbundle - Windows universal application
  • CAB - Windows cabinet file
  • CAT - Windows security catalog
  • XAP - Silverlight and legacy Windows Phone applications
  • PS1, PS1XML, MOF, etc. - Microsoft Powershell scripts and modules
  • manifest, application - Microsoft ClickOnce manifest
  • VSIX - Visual Studio extension
  • Mach-O - macOS/iOS signed executables
  • DMG, PKG - macOS disk images / installer packages
  • APK - Android package
  • PGP - inline, detached or cleartext signature of data

Token types

relic can work with several types of token:

  • pkcs11 - Industry standard PKCS#11 HSM interface using shared object files
  • Cloud services - AWS, Azure and Google Cloud managed keys
  • scdaemon - The GnuPG scdaemon service can enable access to OpenPGP cards (such as Yubikey NEO)
  • file - Private keys stored in a password-protected file

Features

Relic is primarily meant to operate as a signing server, allowing clients to authenticate with a TLS certificate and sign packages remotely. It can also be used as a standalone signing tool.

Other features include:

  • Generating and importing keys in the token
  • Importing certificate chains from a PKCS#12 file
  • Creating X509 certificate signing requests (CSR) and self-signed certificates
  • Limited X509 CA support -- signing CSRs and cross-signing certificates
  • Creating simple PGP public keys
  • RSA and ECDSA supported for all signature types
  • Verify signatures, certificate chains and timestamps on all supported package types
  • Sending audit logs to an AMQP broker, with an optional sealing signature
  • Save token PINs in the system keyring

Platforms

Linux, Windows and MacOS are supported. Other platforms probably work as well.

relic is tested using libsofthsm2 and Gemalto SafeNet Network HSM (Luna SA). Every vendor PKCS#11 implementation has quirks, so if relic doesn't work with your hardware please submit a pull request.

Installation

Pre-built client binaries are available from the Github releases page. Alternately, relic can be built from source:

go install github.com/sassoftware/relic/v7@latest

The following build tags are also available:

  • clientonly - build a lightweight binary without standalone signing features

See doc/relic.yml for an example configuration.

Additional documentation

Reference specifications

Documentation

The Go Gopher

There is no documentation for this package.

Directories

Path Synopsis
cmdline
internal
activation
Package activation provides utilities for inheriting listening sockets from systemd, einhorn, socketmaster, and crank.
Package activation provides utilities for inheriting listening sockets from systemd, einhorn, socketmaster, and crank.
lib
atomicfile
Implement atomic write-rename file pattern.
Implement atomic write-rename file pattern.
binpatch
A means of conveying a series of edits to binary files.
A means of conveying a series of edits to binary files.
comdoc
Microsoft Compound Document File Reference: https://www.openoffice.org/sc/compdocfileformat.pdf ERRATA: The above document says the 0th sector is always 512 bytes into the file.
Microsoft Compound Document File Reference: https://www.openoffice.org/sc/compdocfileformat.pdf ERRATA: The above document says the 0th sector is always 512 bytes into the file.
pkcs7
PKCS#7 is a specification for signing or encrypting data using ASN.1 structures.
PKCS#7 is a specification for signing or encrypting data using ASN.1 structures.
pkcs9
PKCS#9 is a specification for trusted timestamping.
PKCS#9 is a specification for trusted timestamping.
redblack
Simple, incomplete red-black tree implementation meant only to rebuild the directory tree of a CDF file.
Simple, incomplete red-black tree implementation meant only to rebuild the directory tree of a CDF file.
xmldsig
Implements a useful subset of the xmldsig specification for creating signatures over XML documents.
Implements a useful subset of the xmldsig specification for creating signatures over XML documents.
apk
cab
cat
deb
dmg
jar
msi
pgp
ps
rpm
xap
xar

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL