Affected by GO-2026-4671 and 2 other vulnerabilities

GO-2026-4671: Quill vulnerable to SSRF via unvalidated URL from Apple notarization log retrieval in github.com/anchore/quill

GO-2026-4672: Quill has DoS via unbounded read of HTTP response body during notarization in github.com/anchore/quill

GO-2026-4675: Quill has unbounded memory allocation via unvalidated size fields in Mach-O binary parsing in github.com/anchore/quill

quill

module

v0.1.0 Latest Latest Go to latest Published: Oct 15, 2022 License: Apache-2.0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/anchore/quill

Links

Open Source Insights

README ¶

Quill

Simple mac binary signing from any platform. This can replace the mac codesign utility for simple use cases.

# show signing information embedded in a macho-formatted (darwin) binary
$ quill show <path/to/binary>

# Do "ad-hoc" signing of the binary (same as codesign --force -s - <binary>)
# note: there is no crytographic signing info with this option!
$ quill sign <path/to/binary>

# sign the binary (this is probably what you want)
$ quill sign <path/to/binary> --key <path/to/PEM/key> --cert <path/to/PEM/cert>

Not supported

interacting with the keychain
multiple code directories / multiple digest hashes

TODO

unit tests
codesign comparison tests
ad-hoc signing entrypoint
allow for cert chain to be provided and verified
fix: code signature offset for larger binaries
add signing requirements derived from cert chain input
add signing requirements from user input
add signing entitlements from usr input
add support for universal binaries (partially done, needs to wrap the signing function)
Check that input 509 certs have the v3 extensions necessary for codesigning
Support pkcs12 envelopes instead of key + cert + chain input

Future opportunities

could this also perform notarization? yes https://developer.apple.com/documentation/notaryapi/submitting_software_for_notarization_over_the_web
could we add windows signing support?

Directories ¶

Path	Synopsis
cmd
quill command
quill/cli
quill/cli/application
quill/cli/commands
quill/cli/options
internal
bus Package bus provides access to a singleton instance of an event bus (provided by the calling application).	Package bus provides access to a singleton instance of an event bus (provided by the calling application).
eventloop
log Package log contains the singleton object and helper functions for facilitating logging within the library.	Package log contains the singleton object and helper functions for facilitating logging within the library.
test
ui
ui/handle
ui/loggerui
ui/tui/bubbles/prompt
utils
version Package version contains all build time metadata (version, build time, git commit, etc).	Package version contains all build time metadata (version, build time, git commit, etc).
quill
event Package event provides event types for all events that the library published onto the event bus.	Package event provides event types for all events that the library published onto the event bus.
event/monitor
event/parser Package parsers provides parser helpers to extract payloads for each event type that the library publishes onto the event bus.	Package parsers provides parser helpers to extract payloads for each event type that the library publishes onto the event bus.
extract
macho
notary
pem
sign

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL