signing commits with openssl/PKCS#11

signing commits with openssl/PKCS#11

[Mat Arge]

Hy!

I would like to sign each commit with a X.509 certificate and a private key 
stored on a PKCS#11 token. I assume that that should be possible somehow using 
a hook which calls openssl. Does somebody know a working implementation of 
this?

cheers
Mat

Re: signing commits with openssl/PKCS#11

[Michael J Gruber]

Mat Arge venit, vidit, dixit 22.10.2012 15:38:
> Hy!
> 
> I would like to sign each commit with a X.509 certificate and a private key 
> stored on a PKCS#11 token. I assume that that should be possible somehow using 
> a hook which calls openssl. Does somebody know a working implementation of 
> this?
> 
> cheers
> Mat
> 

In principle, we have an almost pluggable architecture. See for example
the latter part of the 2nd post in

http://article.gmane.org/gmane.comp.version-control.git/175127

Unless you want to change git itself, you're probably better off storing
your non-gpg signatures in a note (or a self-created signed tag). To
sign the commit rev, you could sign the output of "git cat-file commit
rev" (or of "git rev-parse rev") and store that signature in a note that
commit. To verify, you verify the note against the commit.

Michael

Re: signing commits with openssl/PKCS#11

[Brandon Casey]

On Mon, Oct 22, 2012 at 6:38 AM, Mat Arge <argemat1010@gmail.com> wrote:
> Hy!
>
> I would like to sign each commit with a X.509 certificate and a private key
> stored on a PKCS#11 token. I assume that that should be possible somehow using
> a hook which calls openssl. Does somebody know a working implementation of
> this?

Creating signatures from an rsa key on a pkcs11 token should be
possible, but gnupg doesn't support pkcs11 for philosophical reasons.
You need to use gnupg-pkcs11 which is maintained outside of the gnupg
tree.

Once you configure gnupg-pkcs11-scd, you'll be able to use git and gpg
to sign tags as usual.

I configured this a while back for use with CAC cards using the
following resources:

   http://alpha.uwb.edu.pl/map/eToken_gpg_howto.shtml (dead)
   http://alpha.uwb.edu.pl/amicke/eToken_gpg_howto.shtml (replacement
for above?)
   http://gnupg-pkcs11.sourceforge.net/man.html

Try those docs.  If you have questions, I'll try to find my notes.

-Brandon

Re: signing commits with openssl/PKCS#11

[Mat Arge]

On Wednesday 24. October 2012 11:46:15 Michael J Gruber wrote:
> Mat Arge venit, vidit, dixit 22.10.2012 15:38:
> > Hy!
> > 
> > I would like to sign each commit with a X.509 certificate and a private
> > key
> > stored on a PKCS#11 token. I assume that that should be possible somehow
> > using a hook which calls openssl. Does somebody know a working
> > implementation of this?
> > 
> > cheers
> > Mat
> 
> In principle, we have an almost pluggable architecture. See for example
> the latter part of the 2nd post in
> 
> http://article.gmane.org/gmane.comp.version-control.git/175127
> 
> Unless you want to change git itself, you're probably better off storing
> your non-gpg signatures in a note (or a self-created signed tag). 

So, there is no possibility to modify the commit itself via a hook, and add a, 
say, "opensslsig" instead of a gpgsig tag?

> To
> sign the commit rev, you could sign the output of "git cat-file commit
> rev" (or of "git rev-parse rev") and store that signature in a note that
> commit. To verify, you verify the note against the commit.
> 
> Michael

But if I crete/modify a signature file while commiting, that file wouldn't be 
commited itself, so the signatur-file would always be one commit behind. Or am 
I missing something? I'm quite new to git (or DVCSs in general), so sorry if 
this is a dumb question.

cheers
Mat

Re: signing commits with openssl/PKCS#11

[Mat Arge]

On Thursday 25. October 2012 01:02:33 Brandon Casey wrote:
> On Mon, Oct 22, 2012 at 6:38 AM, Mat Arge <argemat1010@gmail.com> wrote:
> > Hy!
> > 
> > I would like to sign each commit with a X.509 certificate and a private
> > key
> > stored on a PKCS#11 token. I assume that that should be possible somehow
> > using a hook which calls openssl. Does somebody know a working
> > implementation of this?
> 
> Creating signatures from an rsa key on a pkcs11 token should be
> possible, but gnupg doesn't support pkcs11 for philosophical reasons.
> You need to use gnupg-pkcs11 which is maintained outside of the gnupg
> tree.
> 
> Once you configure gnupg-pkcs11-scd, you'll be able to use git and gpg
> to sign tags as usual.
> 
> I configured this a while back for use with CAC cards using the
> following resources:
> 
>    http://alpha.uwb.edu.pl/map/eToken_gpg_howto.shtml (dead)
>    http://alpha.uwb.edu.pl/amicke/eToken_gpg_howto.shtml (replacement
> for above?)
>    http://gnupg-pkcs11.sourceforge.net/man.html
> 
> Try those docs.  If you have questions, I'll try to find my notes.
> 
> -Brandon

Thanks for the tip, I will try them (though the appear to be very outdated).
Do you know, if gnupg-pkcs11-scd is able to cooperate with the standard pcscd 
from pcsc-lite, or is a one-or-the-other situation?

cheers
Mat