1relic is a multi-tool and server for package signing and working with hardware security modules (HSMs).
2
3# Package types
4* RPM - RedHat packages
5* DEB - Debian packages
6* JAR - Java archives
7* EXE (PE/COFF) - Windows executable
8* MSI - Windows installer
9* appx, appxbundle - Windows universal application
10* CAB - Windows cabinet file
11* CAT - Windows security catalog
12* XAP - Silverlight and legacy Windows Phone applications
13* PS1, PS1XML, MOF, etc. - Microsoft Powershell scripts and modules
14* manifest, application - Microsoft ClickOnce manifest
15* VSIX - Visual Studio extension
16* APK - Android package
17* PGP - inline, detached or cleartext signature of data
18
19# Token types
20relic can work with several types of token:
21
22* pkcs11 - Industry standard PKCS#11 HSM interface using shared object files
23* scdaemon - The GnuPG scdaemon service can enable access to OpenPGP cards (such as Yubikey NEO)
24* file - Private keys stored in a password-protected file
25
26# Features
27Relic is primarily meant to operate as a signing server, allowing clients to authenticate with a TLS certificate and sign packages remotely. It can also be used as a standalone signing tool.
28
29Other features include:
30
31* Generating and importing keys in the token
32* Importing certificate chains from a PKCS#12 file
33* Creating X509 certificate signing requests (CSR) and self-signed certificates
34* Limited X509 CA support -- signing CSRs and cross-signing certificates
35* Creating simple PGP public keys
36* RSA and ECDSA supported for all signature types
37* Verify signatures, certificate chains and timestamps on all supported package types
38* Sending audit logs to an AMQP broker, with an optional sealing signature
39* Save token PINs in the system keyring
40
41# Platforms
42Linux and Windows are supported. Other platforms probably work as well.
43
44relic is tested using libsofthsm2 and Gemalto SafeNet Network HSM (Luna SA). Every vendor PKCS#11 implementation has quirks, so if relic doesn't work with your hardware please submit a pull request.
45
46# Installation
471. Install ltdl development headers, i.e.
48 a. `dnf install libtool-ltdl-devel` or
49 b. `apt-get install libltdl-dev`
502. `go get github.com/sassoftware/relic`
51
52relic can also be built as a client-only tool, removing the dependency on ltdl, by building with `-tags pure` or by disabling cgo.
53
54See distro/linux/relic.yml for an example configuration.
55
56# Related projects
57* SoftHSMv2 - file-based PKCS#11 implementation for testing https://github.com/opendnssec/SoftHSMv2
58* uts-server - timestamping server for testing https://github.com/kakwa/uts-server
59* osslsigncode - Signs EXEs, MSIs, and CABs using openssl https://sourceforge.net/projects/osslsigncode/
60* fb-util-for-appx - Builds signed APPX archives https://github.com/facebook/fb-util-for-appx
61* OpenVsixSignTool - Sign VSIX extensions using an Azure key vault https://github.com/vcsjones/OpenVsixSignTool
62
63# Reference specifications
64* PE/COFF specification - https://www.microsoft.com/en-us/download/details.aspx?id=19509
65* Authenticode PE specification - http://download.microsoft.com/download/9/c/5/9c5b2167-8017-4bae-9fde-d599bac8184a/Authenticode_PE.docx
66* Microsoft ClickOnce manifest structure - https://msdn.microsoft.com/en-us/library/dd947276(v=office.12).aspx
67* Microsoft Compound File format (for MSI) - https://msdn.microsoft.com/en-us/library/dd942138.aspx
68* Alternate reference for compound document format from OpenOffice - https://www.openoffice.org/sc/compdocfileformat.pdf
View as plain text