[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-81937":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":9,"language":10,"languages":9,"totalLinesOfCode":9,"stars":11,"forks":12,"watchers":13,"openIssues":14,"contributorsCount":14,"subscribersCount":14,"size":14,"stars1d":14,"stars7d":12,"stars30d":12,"stars90d":14,"forks30d":14,"starsTrendScore":14,"compositeScore":15,"rankGlobal":9,"rankLanguage":9,"license":9,"archived":16,"fork":16,"defaultBranch":17,"hasWiki":18,"hasPages":16,"topics":19,"createdAt":9,"pushedAt":9,"updatedAt":20,"readmeContent":21,"aiSummary":22,"trendingCount":14,"starSnapshotCount":14,"syncStatus":23,"lastSyncTime":24,"discoverSource":25},81937,"rocei_cli","hofill\u002Frocei_cli","hofill","CLI for signing documents with ROeID.",null,"C",24,1,23,0,0.9,false,"main",true,[],"2026-06-12 02:04:21","# rocei\n\nSign PDFs and files with the Romanian eID card on macOS\u002FLinux. **No IDPlugManager needed.**\n\nTalks directly to the card over PC\u002FSC. The private key never leaves the chip.\n\n> **Note:** Only tested on macOS. Linux and Windows builds are provided by AI but have not been verified against real hardware.\n\n---\n\n## Install (macOS)\n\n```bash\nbrew tap hofill\u002Frocei\nbrew install --HEAD hofill\u002Frocei\u002Frocei\n```\n\nFor PDF signing, also install the Python dependencies:\n\n```bash\npip install -r $(brew --prefix rocei)\u002Flibexec\u002Frequirements.txt\n```\n\n---\n\n## What's in here\n\n```\nrocei_pkcs11\u002F   PKCS#11 module — drop-in for any PKCS#11-aware app\nrocei_cli\u002F      CLI tool — sign files, read identity data\nrocei_sign.py   PDF signer (pyHanko)\n```\n\n---\n\n## Build\n\n### macOS \u002F Linux\n\n```bash\n# PKCS#11 module\ncd rocei_pkcs11 && make\n\n# CLI\ncd rocei_cli && make\n```\n\n**macOS** needs Xcode command-line tools (ships with clang + PC\u002FSC).  \n**Linux** needs `libpcsclite-dev`, `libssl-dev`, and `pkg-config`.\n\n### Python PDF signer\n\n```bash\npip install -r requirements.txt\n```\n\n---\n\n## Usage\n\n### CLI\n\n```bash\n.\u002Frocei list                    # list card objects\n.\u002Frocei sign document.pdf       # → signed_document.pdf\n.\u002Frocei sign --place doc.pdf    # pick signature placement in browser, then sign\n.\u002Frocei read-cert               # dump signing cert (DER) to stdout\n.\u002Frocei read-id                 # read identity data (prompts for 4-digit PIN)\n.\u002Frocei sign contract.txt       # → contract.txt.token\n.\u002Frocei sign --no-x5c file.txt  # omit cert from token\n.\u002Frocei sign --embed file.txt   # embed file contents in token payload\n.\u002Frocei sign-hash \u003Chex>         # sign a raw hash, print base64url signature\n```\n\nNon-PDF files get a `.token` — a compact JWT-like structure:\n\n```\n\u003Cbase64url(header)>.\u003Cbase64url(payload)>.\u003Cbase64url(signature)>\n```\n\nHeader includes `alg: ES384` and the signing cert (`x5c`).  \nPayload includes the filename, SHA-256 hash, and timestamp.  \nSignature is 96-byte raw ECDSA P-384 r‖s.\n\nPDF signing also supports `--place`, which opens a browser tab where you can drag a box to choose exactly where the signature stamp appears:\n\n```bash\n.\u002Frocei sign --place document.pdf\n```\n\n### Use as a PKCS#11 library\n\n```python\nimport pkcs11\nfrom pyhanko.sign.pkcs11 import PKCS11Signer\n\nlib = pkcs11.lib(\"rocei_pkcs11\u002Frocei_pkcs11.dylib\")\nsession = lib.get_slots(token_present=True)[0].get_token().open(user_pin=\"YOUR_PIN\")\n\nsigner = PKCS11Signer(\n    pkcs11_session=session,\n    cert_label=\"Certificate ECC Advanced Signature\",\n    key_label=\"Private Key ECC Advanced Signature\",\n)\n```\n\n---\n\n## Environment variables\n\n### rocei_pkcs11\n\n| Variable | Default | Description |\n|----------|---------|-------------|\n| `ROCEI_DEBUG` | unset | Print every APDU |\n| `ROCEI_KEY_REF` | `0x8E` | Signing key reference |\n| `ROCEI_PIN_REF` | `0x05` | PIN reference |\n| `ROCEI_CERT_FID` | `0xCE8E` | Certificate EF file ID |\n| `ROCEI_SIGN_APP` | `pki` | Set to `qscd` to use the ESIGN applet |\n\n### rocei_cli\n\n| Variable | Description |\n|----------|-------------|\n| `ROCEI_PIN` | Signing PIN (skips prompt) |\n| `ROCEI_DATA_PIN` | Data PIN for `read-id` |\n| `ROCEI_SIGN_PY` | Path to `rocei_sign.py` |\n\n---\n\n## macOS: smart card conflict\n\nmacOS grabs exclusive PC\u002FSC access when a card is inserted. Both tools handle this automatically. If you still see `SCARD_E_SHARING_VIOLATION`:\n\n```bash\nsudo pkill -x ctkd ctkahp\n```\n\n---\n\n## Legal\n\nClean-room implementation — no IDEMIA source code used. Protocol derived by reverse-engineering `libidplug-pkcs11.dylib` (permitted for interoperability under EU Directive 2009\u002F24\u002FEC Art. 6).\n\nPKCS#11 headers are from the OASIS standard — see `include\u002F` for their license.\n\nReverse engineering and implementation were performed by the author with AI-assisted tooling.\n","rocei_cli 是一个用于通过罗马尼亚电子身份证（ROeID）签署文档的命令行工具。它直接与智能卡通过PC\u002FSC协议通信，确保私钥始终保留在芯片内，从而提供高安全性。项目包括PKCS#11模块和CLI工具，支持PDF和其他文件类型的签名，并允许用户在浏览器中选择签名位置。适用于需要使用ROeID进行安全文档签名的场景，特别是在macOS环境下。目前主要在macOS上进行了测试，Linux版本尚未经过实际硬件验证。",2,"2026-06-11 04:07:16","CREATED_QUERY"]