macOS
brew install xml-security-clocal Homebrew formula metadata
sudo port install xml-security-cMacPorts ports tree · security/xml-security-c/Portfile · ソース: api.github.com
brew
xml-security-c のインストール経路、実行ファイル、メタデータ、AI エージェント向けセキュリティノートを確認します。
インストール
brew install xml-security-clocal Homebrew formula metadata
sudo port install xml-security-cMacPorts ports tree · security/xml-security-c/Portfile · ソース: api.github.com
sudo dnf install xml-security-cFedora Rawhide package metadata · xml-security-c · ソース: dl.fedoraproject.org
nix profile install nixpkgs#xml-security-cnixpkgs package indexes · pkgs/by-name/xm/xml-security-c/package.nix · ソース: api.github.com
sudo apt install libxml-security-c-devDebian stable package indexes · libxml-security-c-dev · ソース: deb.debian.org
sudo zypper install libxml-security-c-developenSUSE Tumbleweed package metadata · libxml-security-c-devel · ソース: download.opensuse.org
概要
Implementation of primary security standards for XML
履歴
Apache XML Security for C++ was the C++ implementation in Apache Santuario, providing XML Digital Signature and XML Encryption support plus command-line tools such as checksig, c14n, cipher, and template signing helpers. As of 2024, Apache has frozen and officially retired the C++ code because of long-term maintainer scarcity.
Apache Santuario's history starts with a Java XML Signature effort at the University of Siegen in 1999-2001, which was later placed under the Apache Software Foundation. The C++ library was added later: the official history says it began on SourceForge and migrated into the XML-Security project in early 2003.
The C++ library implemented XML Digital Signature and XML Encryption specifications and used Xerces-C for XML parsing, optional Xalan-C for XPath/XSLT transforms, and OpenSSL for cryptographic functionality through a wrapper layer. The C++ overview stresses that XML Signature and Encryption are complex and hard to implement securely, and warns that generic support for features such as XPath and XSLT increases risk.
Apache Santuario became a top-level project in 2006 and included both Java and C++ libraries. Over time the Java library remained the main supported implementation, while C++ maintenance became concentrated in downstream users, especially the Shibboleth Project.
The 2.0.0 C++ release in 2018 was a major upgrade focused on refactoring and removing deprecated APIs rather than adding large features. Later 2.0.x releases addressed crash bugs and OpenSSL compatibility, with 2.0.4 in 2021 correcting support for OpenSSL versions earlier than 1.1 after a 2.0.3 regression.
The package's practical adoption was strongest in infrastructure that needed C++ XML signature verification or encryption rather than Java APIs. Apache's current C++ page explicitly identifies the Shibboleth Project as the source of current manpower and says the transferred code is maintained by Shibboleth because it is a dependency of that software.
The library's security advisories are part of its adoption story. Apache published C++ advisories for issues such as signature bypass, XPointer stack overflow, HMAC denial-of-service/hash-length bypass, InclusiveNamespace heap overflow, and 2011 large-key buffer overflows. That history matters because XML Signature processing sits directly on trust boundaries.
In 2024, Apache announced retirement of the C++ code after discussion by the Santuario PMC. The current site says the code is frozen at Apache, transferred to Shibboleth for a period, and not supported for third-party use, while the Java Santuario code remains supported.
Library users embedded it to create and validate XML signatures, encrypt or decrypt XML, canonicalize XML, and process signature transforms. Programming examples initialize Xerces, optionally Xalan, and XSEC, then create or load DSIGSignature objects through XSECProvider.
Command-line package users encounter the tool side: xsec-checksig for signature checking, xsec-c14n for canonicalization, xsec-cipher for encryption/decryption workflows, and template/signature information helpers. These tools are useful for testing and operations around XML security artifacts, but the upstream documentation now cautions strongly against new third-party application use.
xml-security-c is significant because it packages standards-heavy security machinery into a native C++ library plus CLI tools. Its dependency stack, optional transform support, security advisories, and retirement notice all show why security packages are not just version numbers: maintainer availability and threat-model fit are part of the package's meaning.
It is also a case study in downstream-driven survival. The formula can still exist for legacy users, but upstream's own position has shifted from general-purpose Apache library to frozen code maintained elsewhere for a specific dependent ecosystem.
セキュリティ状態
narrow executable package without higher-risk signals.
リスク グリーン · 信頼度 低 · appliance
エージェントに無人実行させる前に、このツールが平文の認証情報を読むか、リモート状態を書き込むか、成果物を公開するか、プラグインを起動するかを確認してください。
実行可能ファイル
| コマンド | 種類 | 公開範囲 | メモ |
|---|---|---|---|
xsec-c14n | cli | グローバル実行可能ファイル | |
xsec-checksig | cli | グローバル実行可能ファイル | |
xsec-cipher | cli | グローバル実行可能ファイル | |
xsec-siginf | cli | グローバル実行可能ファイル | |
xsec-templatesign | cli | グローバル実行可能ファイル | |
xsec-txfmout | cli | グローバル実行可能ファイル | |
xsec-xtest | cli | グローバル実行可能ファイル |
鮮度
これらの信号は、ページ生成時期、パッケージマネージャの活動、上流リリース比較を分けて示します。バージョン遅れは、証拠 URL と比較可能なバージョンがある場合だけ警告されます。
インストールメタデータ
| パッケージキー | brew:xml-security-c |
|---|---|
| バージョン | 3.0.0 |
| パッケージマネージャ | Homebrew |
| パッケージマネージャページ | https://formulae.brew.sh/formula/xml-security-c |
| ホームページ | https://santuario.apache.org/ |
| リポジトリ | https://svn.apache.org/repos/asf/santuario/xml-security-cpp/trunk |
| 上流ドキュメント | https://santuario.apache.org/ |
| ライセンス | Apache-2.0 |
| ソースアーカイブ | https://shibboleth.net/downloads/xml-security-c/3.0.0/xml-security-c-3.0.0.tar.bz2 |
| 最終更新 | 2026-06-22T14:06:41-07:00 |
| Pulse | updated |
| 依存関係 | openssl@3, xerces-c |
| ビルド依存関係 | pkgconf |
| Bottle | 利用可能 (対象 arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, arm64_ventura, sonoma, ventura, x86_64_linux) |
| Homebrew post-install | 未定義 |
| サービス | 宣言なし |
レジストリ情報
| Source Database | Homebrew formula API |
|---|---|
| Tap | homebrew/core |
| Full Name | xml-security-c |
| Version Scheme | 0 |
| Revision | 0 |
| Bottle Stable Root URL | https://ghcr.io/v2/homebrew/core |
| Deprecated | no |
| Disabled | no |
| Keg Only | no |
| URL Keys |
|
ソースデータベース一致
一致は外部パッケージマネージャインデックスから取得され、ローカルの Automic Vault パッケージリンクとは分けて表示されます。
libxml-security-c-dev 3.0.0-2
C++ library for XML Digital Signatures (development)
sudo apt install libxml-security-c-devlibxml-security-c30 3.0.0-2
C++ library for XML Digital Signatures (runtime)
sudo apt install libxml-security-c30xml-security-c-utils 3.0.0-2
C++ library for XML Digital Signatures (utilities)
sudo apt install xml-security-c-utilsxml-security-c
nix profile install nixpkgs#xml-security-clibxml-security-c-dev 2.0.4-2build2
C++ library for XML Digital Signatures (development)
https://santuario.apache.org/cindex.html
sudo apt install libxml-security-c-devlibxml-security-c20 2.0.4-2build2
C++ library for XML Digital Signatures (runtime)
https://santuario.apache.org/cindex.html
sudo apt install libxml-security-c20xml-security-c-utils 2.0.4-2build2
C++ library for XML Digital Signatures (utilities)
https://santuario.apache.org/cindex.html
sudo apt install xml-security-c-utilsxml-security-c 2.0.4-8.fc43
C++ Implementation of W3C security standards for XML
http://santuario.apache.org/cindex.html
sudo dnf install xml-security-cxml-security-c-devel 2.0.4-8.fc43
Development files for xml-security-c
http://santuario.apache.org/cindex.html
sudo dnf install xml-security-c-devellibxml-security-c-devel 3.0.0-1.5
Development files for the Apache C++ XML security library
sudo zypper install libxml-security-c-devellibxml-security-c30 3.0.0-1.5
Apache XML security C++ library
sudo zypper install libxml-security-c30xml-security-c-bin 3.0.0-1.5
Utilities for XML security C++ library
sudo zypper install xml-security-c-binxml-security-c
sudo port install xml-security-cソース経路
このページは scripts/generate-pkg-sqlite.py が生成した非公開のパッケージ SQLite アーティファクトから av-web によって提供されます。
View the package source record on GitHub.