security/timestamp-authority: New port

Service for issuing RFC 3161 timestamps

Trusted timestamping is a process that has been around for some time. It
provides a timestamp record of when a document was created or modified.

A timestamp authority creates signed timestamps using public key
infrastructure. The operator of the timestamp authority must secure the
signing key material to prevent unauthorized timestamp signing.

A timestamp authority should also verify its own clock. We provide a
configuration to periodically check the current time against well-known
NTP sources.

WWW: https://sigstore.dev/

8 files changed, 91 insertions, 2 deletions

diff --git a/GIDs b/GIDs
index f8128e130f0c..0a1dee381e46 100644
--- a/GIDs
+++ b/GIDs
@@ -803,7 +803,7 @@ opensearch:*:855:
 # free: 859
 plocate:*:860:
 # free: 861
-# free: 862
+timestamp-authority:*:862:
 trillian:*:863:
 mediamtx:*:864:
 z2m:*:865:
diff --git a/UIDs b/UIDs
index f955e875b8b2..c9d7563c7b37 100644
--- a/UIDs
+++ b/UIDs
@@ -809,7 +809,7 @@ opensearch:*:855:855::0:0:opensearch user:/nonexistent:/usr/sbin/nologin
 # free: 859
 # free: 860
 # free: 861
-# free: 862
+timestamp-authority:*:862:862::0:0:Timestamp Authority:/nonexistent:/usr/sbin/nologin
 trillian:*:863:863::0:0:trillian user:/nonexistent:/usr/sbin/nologin
 mediamtx:*:864:864::0:0:mediamtx:/nonexistent:/usr/sbin/nologin
 z2m:*:865:865::0:0:zigbee2mqtt:/usr/local/z2m:/usr/sbin/nologin
diff --git a/security/Makefile b/security/Makefile
index 79f43e290087..09b9edefdcc1 100644
--- a/security/Makefile
+++ b/security/Makefile
@@ -1354,6 +1354,7 @@
     SUBDIR += testssl.sh
     SUBDIR += tfhe
     SUBDIR += theonionbox
+    SUBDIR += timestamp-authority
     SUBDIR += tinc
     SUBDIR += tinc-devel
     SUBDIR += tinyca
diff --git a/security/timestamp-authority/Makefile b/security/timestamp-authority/Makefile
new file mode 100644
index 000000000000..b2282b914160
--- /dev/null
+++ b/security/timestamp-authority/Makefile
@@ -0,0 +1,24 @@
+PORTNAME=	timestamp-authority
+DISTVERSIONPREFIX=	v
+DISTVERSION=	1.2.6
+CATEGORIES=	security
+
+MAINTAINER=	bofh@FreeBSD.org
+COMMENT=	Service for issuing RFC 3161 timestamps
+WWW=		https://sigstore.dev/
+
+LICENSE=	APACHE20
+LICENSE_FILE=	${WRKSRC}/LICENSE
+
+USES=		go:1.24,modules
+USE_RC_SUBR=	${PORTNAME}
+
+GO_MODULE=	github.com/sigstore/timestamp-authority
+GO_TARGET=	./cmd/fetch-tsa-certs \
+		./cmd/timestamp-cli \
+		./cmd/timestamp-server
+
+USERS=		${PORTNAME}
+GROUPS=		${PORTNAME}
+
+.include <bsd.port.mk>
diff --git a/security/timestamp-authority/distinfo b/security/timestamp-authority/distinfo
new file mode 100644
index 000000000000..c3840e7d5dd9
--- /dev/null
+++ b/security/timestamp-authority/distinfo
@@ -0,0 +1,5 @@
+TIMESTAMP = 1746365906
+SHA256 (go/security_timestamp-authority/timestamp-authority-v1.2.6/v1.2.6.mod) = c4aefce5738d70dd5cc0ee2a3556d3642d63b23ff348295668aec953dc417cb1
+SIZE (go/security_timestamp-authority/timestamp-authority-v1.2.6/v1.2.6.mod) = 7778
+SHA256 (go/security_timestamp-authority/timestamp-authority-v1.2.6/v1.2.6.zip) = a9fad76a867bc16dbd893a08d286c24eff93b49b00c64e8a051da58df5c154dc
+SIZE (go/security_timestamp-authority/timestamp-authority-v1.2.6/v1.2.6.zip) = 196254
diff --git a/security/timestamp-authority/files/timestamp-authority.in b/security/timestamp-authority/files/timestamp-authority.in
new file mode 100644
index 000000000000..dc39614451c1
--- /dev/null
+++ b/security/timestamp-authority/files/timestamp-authority.in
@@ -0,0 +1,46 @@
+#!/bin/sh
+
+# PROVIDE: timestamp-server
+# REQUIRE: DAEMON
+# KEYWORD: shutdown
+#
+# Add the following lines to /etc/rc.conf.local or /etc/rc.conf
+# to enable this service:
+#
+# timestamp-server_enable (bool):	Set it to YES to enable timestamp-server.
+#			Default is "NO".
+# timestamp-server_user (user):	Set user to run timestamp-server.
+#			Default is "timestamp-server".
+# timestamp-server_group (group):	Set group to run timestamp-server.
+#			Default is "timestamp-server".
+# timestamp-server_config (file):	Set timestamp-server config file.
+#			Default is "%%PREFIX%%/etc/timestamp-server/timestamp-server.yaml".
+
+. /etc/rc.subr
+
+name=timestamp-server
+rcvar=timestamp-server_enable
+
+load_rc_config $name
+
+: ${timestamp-server_enable:="NO"}
+: ${timestamp-server_user:="timestamp-authority"}
+: ${timestamp-server_group:="timestamp-authority"}
+: ${timestamp-server_config:="%%PREFIX%%/etc/timestamp-authority/timestamp-server.yaml"}
+
+pidfile=/var/run/timestamp-server.pid
+procname="%%PREFIX%%/bin/timestamp-server"
+command="/usr/sbin/daemon"
+command_args="-f -t ${name} -p ${pidfile} ${procname} serve -config=${timestamp-server_config}"
+
+start_precmd=timestamp-server_startprecmd
+required_files="$timestamp-server_config"
+
+timestamp-server_startprecmd()
+{
+        if [ ! -e ${pidfile} ]; then
+                install -o ${timestamp-server_user} -g ${timestamp-server_group} /dev/null ${pidfile};
+        fi
+}
+
+run_rc_command "$1"
diff --git a/security/timestamp-authority/pkg-descr b/security/timestamp-authority/pkg-descr
new file mode 100644
index 000000000000..7160e019b0ea
--- /dev/null
+++ b/security/timestamp-authority/pkg-descr
@@ -0,0 +1,10 @@
+Trusted timestamping is a process that has been around for some time. It
+provides a timestamp record of when a document was created or modified.
+
+A timestamp authority creates signed timestamps using public key
+infrastructure. The operator of the timestamp authority must secure the
+signing key material to prevent unauthorized timestamp signing.
+
+A timestamp authority should also verify its own clock. We provide a
+configuration to periodically check the current time against well-known
+NTP sources.
diff --git a/security/timestamp-authority/pkg-plist b/security/timestamp-authority/pkg-plist
new file mode 100644
index 000000000000..7462fe7c3956
--- /dev/null
+++ b/security/timestamp-authority/pkg-plist
@@ -0,0 +1,3 @@
+bin/fetch-tsa-certs
+bin/timestamp-cli
+bin/timestamp-server