3

It's been long enough since git permits its users to sign commits using GPG.

If we want instead to sign commits using X.509 certificates and S/MIME, there's smimesign utility that runs smoothly under Windows and Mac.

However, under Linux things get more messier, especially if we want to use a cryptographic token. It seems that if we want to use an X.509 certificate stored in a PIV card for example to sign commits, we need to use some heavy workarounds (workarounds that involve using : gnupg, gpgsm, gpg-agent, scdaemon, gnupg-pkcs11-scd... etc) in order to make it happen.

Is there a simple (simple to deploy in a corporate environment) known way to sign Git commits using something like PKCS#11 under Linux?

Ryan B.
  • 1,270
  • 10
  • 24
  • 1
    I did manage to sign commits with `gpgsm`, basically following [this blog post](https://enjoi.dev/posts/2021-09-30-signing-git-commits-using-s-mime-x509-certificates/). This was with a certificate exported from Entrust, not stored on a security key though... – philb May 31 '22 at 00:53
  • 1
    Yes it's quite easy and straightforward to use an exported PFX certificate. However when using a security token other than an OpenPGP compatible card (PIV card, Yubikey,...etc) it gets way more messier. – Ryan B. May 31 '22 at 08:52
  • I will also upport @RyanB. I also have a token with key-pair/certificate and want to use it. Meintoned paths don't route me to useful results. – Alexander Jun 22 '22 at 12:07
  • 1
    @Alexander I'm starting to think the only way is to create a fork of the smimesign utility under Linux. Anyone interested? – Ryan B. Jun 23 '22 at 21:06
  • 1
    I'll try to join and help you. – Alexander Jun 28 '22 at 06:57

0 Answers0