Obtain the Apache Santuario™ distribution

The Apache Santuario™ project is aimed at providing implementation of the primary security standards for XML. Two libraries are currently available.

  • Apache XML Security for Java - This library includes a mature Digital Signature and Encryption implementation. It also includes the standard JSR 105 (Java XML Digital Signature) API. Applications can use the standard JSR 105 API or the Apache Santuario API to create and validate XML Signatures.
  • Apache XML Security for C++ - This library includes a mature Digital Signature and Encryption implementation using a proprietary C++ API on top of the Xerces-C XML Parser's DOM API. It includes a pluggable cryptographic layer, but support for alternatives to OpenSSL are less complete and less mature.

How to download

Use the links below to download a distribution of Apache Santuario from one of our mirrors. It is good practice to verify the integrity of the distribution files. Apache Santuario releases are available under the Apache License, Version 2.0 - see the LICENSE.txt and NOTICE.txt files contained in each release artifact.

Current official release (closest mirror site selected automatically)

Archive of old releases

Older releases are available in the archive.

Verify releases

It is essential that you verify the integrity of the downloaded files using the PGP signatures. Digest verification ensures the file was not corrupted or tampered with but provides no real verification of authenticity. PGP verification ensures that the file is authentic. In practice, PGP verification is much more important and makes checksum verification redundant.

PGP Signature

The PGP signatures can be verified using PGP or GPG. First download the Apache Santuario KEYS as well as the *.asc signature file for the particular distribution. It is important that you get these files from the ultimate trusted source - the main ASF distribution site, rather than from a mirror. Then verify the signatures using:

% pgpk -a KEYS
% pgpv xml-security-bin-1_4_4.zip.asc
 or
% pgp -ka KEYS
% pgp xml-security-bin-1_4_4.zip.asc
 or
% gpg --import KEYS
% gpg --verify xml-security-bin-1_4_4.zip.asc

Checksums

To verify the SHA checksum on the files, you need to use a program called sha1sum (or sha256sum, etc.), which is included in many unix distributions. It is also available as part of GNU Textutils. Windows users can get binary digest programs from here or an openssl client from here.

% sha1sum xml-security-X.Y.tar.gz
  ... output should match the string in xml-security-X.Y.tar.gz.sha1

We strongly recommend you verify your downloads with PGP.