A multi-threaded PDF password cracking utility equipped with
commonly encountered password format builders and dictionary
attacks.
WWW: https://github.com/mufeedvh/pdfrip
Keepassxc > 2.7.6 removed support for Yubikey and other dongles.
Repocopy security/keepassxc to keepassxc276 in order to facilitate
updating keepassxc while allowing users to continue to use keepassxc 2.7.6
with Yubikey, using the opportunity to look for alternatives.
Suggested by: madpilot
PR: 279879
Approved by: lwhsu (MAINTAINER)
The DISTRO2SBOM generates a SBOM (Software Bill of Materials) for either an
installed application or a complete system installation in a number of
formats including SPDX and CycloneDX.
WWW: https://github.com/anthonyharrison/distro2sbom
PR: 286645
Sponsored by: The FreeBSD Foundation
Lib4SBOM is a library to parse and generate Software Bill of Materials
(SBOMs). It supports SBOMs created in both SPDX and CycloneDX formats.
WWW: https://github.com/anthonyharrison/lib4sbom
PR: 286644
Sponsored by: The FreeBSD Foundation
Upstream has split most of the bindings out into separate projects with
this release, so the child ports that were previously providing various
bindings are now autonomous and have new origins. The python bindings
should have been called py-gpg for many years now, since 'gpg' is the
actual module name, so this also corrects that issue.
security/gpgme-cpp -> security/gpgmepp
security/gpgme-qt -> security/qgpgme
security/py-gpgme -> security/py-gpg
gpgmepp and qgpgme have been converted to CMake. py-gpg is now a "fun"
autotools and FreeBSD ports system hybrid. Gpgme, itself, still uses
autotools, but with much less parenting (patching) to do for its
emancipated children.
Adjust several ports to fix API incompatibility with upstream patches
and with some of my own. Adjust all consumers to use the new port
origins of the former child ports.
https://dev.gnupg.org/T7673
Certmonger is primarily concerned with getting you or your system
enrolled with a certificate authority (CA) and keeping you enrolled.
To do this, the certmonger daemon runs in the background, taking guidance from
client tools (via a D-Bus API, a command-line tool is provided which uses it).
The daemon:
can generate key pairs if you don't already have one
can use a key pair to generate a certificate signing request
can submit the signing request to a CA
can wait for the CA to decide whether or not to issue the certificate
can store an issued certificate in a specified location
can monitor the certificate to see if it's about to expire
can warn you or simply log that a certificate is about to expire
can attempt to get a new certificate when a certificate is about to expire
The goal is to have certmonger do what you need it to do based on what you've
told it you need. If you already have a certificate, it will be happy to just
check on it periodically and warn you when it's about to expire. If you tell it
where the private key is, and where the CA is, it can go ahead and try to
re-enroll if you like.
Keys and certificates can be stored and read in any of these formats:
PEM-formatted files
NSS database (dbm or sql)
tscli is a fast, single-binary CLI for the Tailscale HTTP API. From
your terminal you can manage devices, users, auth keys, webhooks,
posture integrations, tailnet-wide settings, and even hit raw
endpoints when the SDK hasn’t caught up yet.
PR: 286845
Approved by: acm (mentor)
Govulncheck reports known vulnerabilities that affect Go code.
It uses static analysis of source code or a binary's symbol table
to narrow down reports to only those that could affect the
application.
- Submitter becomes maintainer
WWW: https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck
PR: 285627
Makes the TPM 2.0 accessible via the standard OpenSSL API and
command-line tools, so one can add TPM support to (almost) any
OpenSSL 3.x based application.
PR 286218
Pull Request: https://github.com/freebsd/freebsd-ports/pull/393
Co-authored-by: Gleb Popov <arrowd@FreeBSD.org>
openvpn-auth-oauth2 handles the single sign-on (SSO) authentication
for OpenVPN servers. Authentication can be performed against
various identity providers, among others also Microsoft Entra ID,
GitHub, Okta, Google, Keycloak and other OIDC-compliant providers.
Docs are at https://github.com/jkroepke/openvpn-auth-oauth2
NetBird is an open-source WireGuard-based overlay network combined with
Zero Trust Network Access, providing secure and reliable connectivity
to internal resources.
Key features:
- Zero-config VPN: Easily create secure connections between devices without
manual network setup.
- Built on WireGuard: Leverages WireGuard's high-performance encryption for
fast and secure communication.
- Self-hosted or Cloud-managed: Users can deploy their own NetBird management
server or use NetBird Cloud for centralized control.
- Access Control & Routing: Fine-grained access control policies and automatic
network routing simplify connectivity.
- This FreeBSD port provides the NetBird client daemon and CLI tools,
allowing FreeBSD systems to join a NetBird mesh network and securely
communicate with other peers.
For more details, visit: https://netbird.io
PR: 284877
Software Supply Chain Transparency Log
Rekor's goals are to provide an immutable tamper resistant ledger of
metadata generated within a software projects supply chain. Rekor will
enable software maintainers and build systems to record signed metadata
to an immutable record. Other parties can then query said metadata to
enable them to make informed decisions on trust and non-repudiation of
an object's lifecycle.
The Rekor project provides a restful API based server for validation and
a transparency log for storage. A CLI application is available to make
and verify entries, query the transparency log for inclusion proof,
integrity verification of the transparency log or retrieval of entries
by either public key or artifact.
Rekor fulfils the signature transparency role of sigstore's software
signing infrastructure. However, Rekor can be run on its own and is
designed to be extensible to working with different manifest schemas and
PKI tooling.
WWW: https://www.sigstore.dev/
Service for issuing RFC 3161 timestamps
Trusted timestamping is a process that has been around for some time. It
provides a timestamp record of when a document was created or modified.
A timestamp authority creates signed timestamps using public key
infrastructure. The operator of the timestamp authority must secure the
signing key material to prevent unauthorized timestamp signing.
A timestamp authority should also verify its own clock. We provide a
configuration to periodically check the current time against well-known
NTP sources.
WWW: https://sigstore.dev/
General transparency
Trillian is an implementation of the concepts described in the
Verifiable Data Structures white paper, which in turn is an extension
and generalisation of the ideas which underpin Certificate Transparency.
Trillian implements a Merkle tree whose contents are served from a data
storage layer, to allow scalability to extremely large trees. On top of
this Merkle tree, Trillian provides the following:
- An append-only Log mode, analogous to the original Certificate
Transparency logs. In this mode, the Merkle tree is effectively filled
up from the left, giving a dense Merkle tree.
Note that Trillian requires particular applications to provide their own
personalities on top of the core transparent data store functionality.
WWW: https://github.com/google/trillian
Framework for Securing Software
The Update Framework (TUF) is a framework for secure content delivery
and updates. It protects against various types of supply chain attacks
and provides resilience to compromise.
The Update Framework (TUF) design helps developers maintain the security
of a software update system, even against attackers that compromise the
repository or signing keys. TUF provides a flexible specification
defining functionality that developers can use in any software update
system or re-implement to fit their needs.
WWW: https://theupdateframework.io
Signing OCI containers and other artifacts using Sigstore
Cosign aims to make signatures invisible infrastructure.
Cosign supports:
- "Keyless signing" with the Sigstore public good Fulcio certificate
authority and Rekor transparency log (default)
- Hardware and KMS signing
- Signing with a cosign generated encrypted private/public keypair
- Container Signing, Verification and Storage in an OCI registry.
- Bring-your-own PKI
WWW: https://github.com/sigstore/cosign
python-jose provides a JOSE implementation in Python.
The JavaScript Object Signing and Encryption (JOSE) technologies - JSON Web
Signature (JWS), JSON Web Encryption (JWE), JSON Web Key (JWK), and JSON Web
Algorithms (JWA) - collectively can be used to encrypt and/or sign content using
a variety of algorithms. While the full set of permutations is extremely large,
and might be daunting to some, it is expected that most applications will only
use a small set of algorithms to meet their needs.
