# Install xml-security-c with Homebrew, apt, dnf, MacPorts, Nix, zypper

Implementation of primary security standards for XML. Version 3.0.0 via Homebrew; verified 2026-06-22.

## Install

```sh
sudo av install brew:xml-security-c
```

Additional install commands:

### macOS

- Homebrew (100%):

```sh
brew install xml-security-c
```

  Evidence: local Homebrew formula metadata

- MacPorts (94%):

```sh
sudo port install xml-security-c
```

  Evidence: MacPorts ports tree: security/xml-security-c/Portfile from https://api.github.com/repos/macports/macports-ports/git/trees/master?recursive=1

### Linux

- Debian apt (92%):

```sh
sudo apt install libxml-security-c-dev
```

  Evidence: Debian stable package indexes: libxml-security-c-dev from https://deb.debian.org/debian/dists/stable/main/binary-amd64/Packages.xz

- dnf (92%):

```sh
sudo dnf install xml-security-c
```

  Evidence: Fedora Rawhide package metadata: xml-security-c from https://dl.fedoraproject.org/pub/fedora/linux/development/rawhide/Everything/x86_64/os/repodata/e5ca8ce900cd68f5419e1c39ae517343100b306336cbaeb70a3c153121d95094-primary.xml.zst

- Nix (92%):

```sh
nix profile install nixpkgs#xml-security-c
```

  Evidence: nixpkgs package indexes: pkgs/by-name/xm/xml-security-c/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1

- zypper (92%):

```sh
sudo zypper install libxml-security-c-devel
```

  Evidence: openSUSE Tumbleweed package metadata: libxml-security-c-devel from https://download.opensuse.org/tumbleweed/repo/oss/repodata/be8d3611d25469107f32075a1697e69ec57a2b850b42348a658cc671ad5ec2b50760d02c3e59524d50da9a11d5be799bdaffba2e166e8ca8858512e3c0bd665d-primary.xml.zst

## Package facts

- **Package key:** brew:xml-security-c
- **Package manager:** Homebrew
- **Package manager page:** <https://formulae.brew.sh/formula/xml-security-c>
- **Version:** 3.0.0
- **Source summary:** Implementation of primary security standards for XML
- **Homepage:** <https://santuario.apache.org/>
- **Repository:** <https://svn.apache.org/repos/asf/santuario/xml-security-cpp/trunk>
- **Upstream docs:** <https://santuario.apache.org/>
- **License:** Apache-2.0
- **Source archive:** <https://shibboleth.net/downloads/xml-security-c/3.0.0/xml-security-c-3.0.0.tar.bz2>
- **Last updated:** 2026-06-22T14:06:41-07:00
- **Generated:** 2026-07-08T18:08:21+00:00

## Executables

- xsec-c14n (cli)
- xsec-checksig (cli)
- xsec-cipher (cli)
- xsec-siginf (cli)
- xsec-templatesign (cli)
- xsec-txfmout (cli)
- xsec-xtest (cli)
- xsec-c14n (alias)
- xsec-checksig (alias)
- xsec-cipher (alias)
- xsec-siginf (alias)
- xsec-templatesign (alias)
- xsec-txfmout (alias)
- xsec-xtest (alias)

## Dependencies

- openssl@3
- xerces-c

## Build dependencies

- pkgconf

## Install behavior

- Post-install hook: not defined
- Bottle: available on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, arm64_ventura, sonoma, ventura, x86_64_linux

## Freshness

- Page generated: 2026-07-08
- Package-manager version: 3.0.0
- Package-manager updated: 2026-06-22
- Local data: ok
- Upstream repository: https://santuario.apache.org/
- info: Release/tag comparison is only available for GitHub repositories.
## Project history and usage

Apache XML Security for C++ was the C++ implementation in Apache Santuario, providing XML Digital Signature and XML Encryption support plus command-line tools such as checksig, c14n, cipher, and template signing helpers. As of 2024, Apache has frozen and officially retired the C++ code because of long-term maintainer scarcity.

### Project history

Apache Santuario's history starts with a Java XML Signature effort at the University of Siegen in 1999-2001, which was later placed under the Apache Software Foundation. The C++ library was added later: the official history says it began on SourceForge and migrated into the XML-Security project in early 2003.

The C++ library implemented XML Digital Signature and XML Encryption specifications and used Xerces-C for XML parsing, optional Xalan-C for XPath/XSLT transforms, and OpenSSL for cryptographic functionality through a wrapper layer. The C++ overview stresses that XML Signature and Encryption are complex and hard to implement securely, and warns that generic support for features such as XPath and XSLT increases risk.

Apache Santuario became a top-level project in 2006 and included both Java and C++ libraries. Over time the Java library remained the main supported implementation, while C++ maintenance became concentrated in downstream users, especially the Shibboleth Project.

The 2.0.0 C++ release in 2018 was a major upgrade focused on refactoring and removing deprecated APIs rather than adding large features. Later 2.0.x releases addressed crash bugs and OpenSSL compatibility, with 2.0.4 in 2021 correcting support for OpenSSL versions earlier than 1.1 after a 2.0.3 regression.

### Adoption history

The package's practical adoption was strongest in infrastructure that needed C++ XML signature verification or encryption rather than Java APIs. Apache's current C++ page explicitly identifies the Shibboleth Project as the source of current manpower and says the transferred code is maintained by Shibboleth because it is a dependency of that software.

The library's security advisories are part of its adoption story. Apache published C++ advisories for issues such as signature bypass, XPointer stack overflow, HMAC denial-of-service/hash-length bypass, InclusiveNamespace heap overflow, and 2011 large-key buffer overflows. That history matters because XML Signature processing sits directly on trust boundaries.

In 2024, Apache announced retirement of the C++ code after discussion by the Santuario PMC. The current site says the code is frozen at Apache, transferred to Shibboleth for a period, and not supported for third-party use, while the Java Santuario code remains supported.

### How it is used

Library users embedded it to create and validate XML signatures, encrypt or decrypt XML, canonicalize XML, and process signature transforms. Programming examples initialize Xerces, optionally Xalan, and XSEC, then create or load DSIGSignature objects through XSECProvider.

Command-line package users encounter the tool side: xsec-checksig for signature checking, xsec-c14n for canonicalization, xsec-cipher for encryption/decryption workflows, and template/signature information helpers. These tools are useful for testing and operations around XML security artifacts, but the upstream documentation now cautions strongly against new third-party application use.

### Why package nerds care

xml-security-c is significant because it packages standards-heavy security machinery into a native C++ library plus CLI tools. Its dependency stack, optional transform support, security advisories, and retirement notice all show why security packages are not just version numbers: maintainer availability and threat-model fit are part of the package's meaning.

It is also a case study in downstream-driven survival. The formula can still exist for legacy users, but upstream's own position has shifted from general-purpose Apache library to frozen code maintained elsewhere for a specific dependent ecosystem.

### Timeline

- 1999-2001: University of Siegen XML Signature work led to the original Apache XML Security Java library.
- Early 2003: XML Security C++ migrated from SourceForge into the Apache XML-Security project.
- 2006: XML-Security became the Apache Santuario top-level project.
- 2013: Apache issued multiple Santuario XML Security for C++ advisories affecting versions before 1.7.1.
- 2018-06: Apache XML Security for C++ 2.0.0 released as a refactoring/API cleanup major release.
- 2021-11: Version 2.0.4 released to fix a regression affecting pre-OpenSSL-1.1 builds.
- 2024-03: Apache announced the C++ code would be frozen and retired because of lack of support.
- 2024-07: Apache site noted the C++ library was officially retired and migrated as a fork to the Shibboleth Project.

### Related projects

- Related projects and standards include Apache Santuario for Java, W3C XML Signature, W3C XML Encryption, Xerces-C, Xalan-C, OpenSSL, NSS, Windows CryptoAPI, XKMS, and the Shibboleth Project.

### Sources

- <https://santuario.apache.org/>
- <https://santuario.apache.org/cindex.html>
- <https://santuario.apache.org/cinstallation.html>
- <https://santuario.apache.org/cprogramming.html>
- <https://santuario.apache.org/history.html>
- <https://santuario.apache.org/oldnews.html>
- <https://santuario.apache.org/secadv.html>
- <https://svn.apache.org/repos/asf/santuario/xml-security-cpp/trunk/>
- <https://svn.apache.org/repos/asf/santuario/xml-security-cpp/trunk/xml-security-c.spec>


## Security Notes

narrow executable package without higher-risk signals.

- **Geiger risk:** green / low
- narrow executable package without higher-risk signals

## Source Database Details

- **Source Database:** Homebrew formula API
- **Tap:** homebrew/core
- **Full Name:** xml-security-c
- **Version Scheme:** 0
- **Revision:** 0
- **Bottle Stable Root URL:** <https://ghcr.io/v2/homebrew/core>
- **Deprecated:** no
- **Disabled:** no
- **Keg Only:** no
- **URL Keys:** stable

## Other Package-Manager Records

- Debian apt - libxml-security-c-dev - 3.0.0-2: normalized package name match | Debian stable package indexes: libxml-security-c-dev from https://deb.debian.org/debian/dists/stable/main/binary-amd64/Packages.xz | C++ library for XML Digital Signatures (development) | https://www.shibboleth.net/
- Debian apt - libxml-security-c30 - 3.0.0-2: normalized package name match | Debian stable package indexes: libxml-security-c30 from https://deb.debian.org/debian/dists/stable/main/binary-amd64/Packages.xz | C++ library for XML Digital Signatures (runtime) | https://www.shibboleth.net/
- Debian apt - xml-security-c-utils - 3.0.0-2: normalized package name match | Debian stable package indexes: xml-security-c-utils from https://deb.debian.org/debian/dists/stable/main/binary-amd64/Packages.xz | C++ library for XML Digital Signatures (utilities) | https://www.shibboleth.net/
- Nix - xml-security-c: normalized package name match | nixpkgs package indexes: pkgs/by-name/xm/xml-security-c/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1
- Ubuntu apt - libxml-security-c-dev - 2.0.4-2build2: normalized package name match | Ubuntu 24.04 LTS package indexes: libxml-security-c-dev from https://archive.ubuntu.com/ubuntu/dists/noble/universe/binary-amd64/Packages.gz | C++ library for XML Digital Signatures (development) | https://santuario.apache.org/cindex.html
- Ubuntu apt - libxml-security-c20 - 2.0.4-2build2: normalized package name match | Ubuntu 24.04 LTS package indexes: libxml-security-c20 from https://archive.ubuntu.com/ubuntu/dists/noble/universe/binary-amd64/Packages.gz | C++ library for XML Digital Signatures (runtime) | https://santuario.apache.org/cindex.html
- Ubuntu apt - xml-security-c-utils - 2.0.4-2build2: normalized package name match | Ubuntu 24.04 LTS package indexes: xml-security-c-utils from https://archive.ubuntu.com/ubuntu/dists/noble/universe/binary-amd64/Packages.gz | C++ library for XML Digital Signatures (utilities) | https://santuario.apache.org/cindex.html
- dnf - xml-security-c - 2.0.4-8.fc43: normalized package name match | Fedora Rawhide package metadata: xml-security-c from https://dl.fedoraproject.org/pub/fedora/linux/development/rawhide/Everything/x86_64/os/repodata/e5ca8ce900cd68f5419e1c39ae517343100b306336cbaeb70a3c153121d95094-primary.xml.zst | C++ Implementation of W3C security standards for XML | http://santuario.apache.org/cindex.html
- dnf - xml-security-c-devel - 2.0.4-8.fc43: normalized package name match | Fedora Rawhide package metadata: xml-security-c-devel from https://dl.fedoraproject.org/pub/fedora/linux/development/rawhide/Everything/x86_64/os/repodata/e5ca8ce900cd68f5419e1c39ae517343100b306336cbaeb70a3c153121d95094-primary.xml.zst | Development files for xml-security-c | http://santuario.apache.org/cindex.html
- zypper - libxml-security-c-devel - 3.0.0-1.5: normalized package name match | openSUSE Tumbleweed package metadata: libxml-security-c-devel from https://download.opensuse.org/tumbleweed/repo/oss/repodata/be8d3611d25469107f32075a1697e69ec57a2b850b42348a658cc671ad5ec2b50760d02c3e59524d50da9a11d5be799bdaffba2e166e8ca8858512e3c0bd665d-primary.xml.zst | Development files for the Apache C++ XML security library | https://shibboleth.net
- zypper - libxml-security-c30 - 3.0.0-1.5: normalized package name match | openSUSE Tumbleweed package metadata: libxml-security-c30 from https://download.opensuse.org/tumbleweed/repo/oss/repodata/be8d3611d25469107f32075a1697e69ec57a2b850b42348a658cc671ad5ec2b50760d02c3e59524d50da9a11d5be799bdaffba2e166e8ca8858512e3c0bd665d-primary.xml.zst | Apache XML security C++ library | https://shibboleth.net
- zypper - xml-security-c-bin - 3.0.0-1.5: normalized package name match | openSUSE Tumbleweed package metadata: xml-security-c-bin from https://download.opensuse.org/tumbleweed/repo/oss/repodata/be8d3611d25469107f32075a1697e69ec57a2b850b42348a658cc671ad5ec2b50760d02c3e59524d50da9a11d5be799bdaffba2e166e8ca8858512e3c0bd665d-primary.xml.zst | Utilities for XML security C++ library | https://shibboleth.net
- MacPorts - xml-security-c: normalized package name match | MacPorts ports tree: security/xml-security-c/Portfile from https://api.github.com/repos/macports/macports-ports/git/trees/master?recursive=1


## Related links

- [Terminal utility packages](https://www.automicvault.com/pkg/terminal-utilities/) - Matched terminal and command-line workflow metadata.
- [Text processing packages](https://www.automicvault.com/pkg/text-processing-tools/) - Matched text, document, or structured-data processing metadata.
- [Networking and protocol packages](https://www.automicvault.com/pkg/networking-protocol-tools/) - Matched network, protocol, or remote-service metadata.
- [Security and crypto packages](https://www.automicvault.com/pkg/security-crypto-tools/) - Matched security, identity, cryptography, password, signing, or certificate metadata.
- [openssl@3](https://www.automicvault.com/pkg/brew/openssl-3/) - Runtime dependency declared by Homebrew.
- [xerces-c](https://www.automicvault.com/pkg/brew/xerces-c/) - Runtime dependency declared by Homebrew.
- [pkgconf](https://www.automicvault.com/pkg/brew/pkgconf/) - Build dependency declared by Homebrew.
- [opensaml](https://www.automicvault.com/pkg/brew/opensaml/) - Popular package that depends on this formula.
- [shibboleth-sp](https://www.automicvault.com/pkg/brew/shibboleth-sp/) - Popular package that depends on this formula.
- [xmlsectool](https://www.automicvault.com/pkg/brew/xmlsectool/) - Shares av.db curated category or tags: cli, security, xml, xml-security.
- [botan](https://www.automicvault.com/pkg/brew/botan/) - Shares av.db curated category or tags: c-plus-plus, cli, security.
- [libxmlsec1](https://www.automicvault.com/pkg/brew/libxmlsec1/) - Shares av.db curated category or tags: cli, security, xml, xml-encryption, xml-security.
- [rnp](https://www.automicvault.com/pkg/brew/rnp/) - Shares av.db curated category or tags: c-plus-plus, cli, security.
- [aide](https://www.automicvault.com/pkg/brew/aide/) - Shares av.db curated category or tags: cli, security.
- [aircrack-ng](https://www.automicvault.com/pkg/brew/aircrack-ng/) - Shares av.db curated category or tags: cli, security.
- [amass](https://www.automicvault.com/pkg/brew/amass/) - Shares av.db curated category or tags: cli, security.
- [anubis](https://www.automicvault.com/pkg/brew/anubis/) - Shares av.db curated category or tags: cli, security.

## Combined YAML source

View the package source record on GitHub. [combined/xml-security-c.yml](https://github.com/automic-vault/db/blob/main/combined/xml-security-c.yml)


## Sources

- Nucleus package database
- Geiger risk classifier
- package-page enrichment
- curated package history
- package version freshness
- av.db category and tag curation
- package relationship graph
- external package-manager database matches
- cross-ecosystem install command graph
