Git: Please allow to use gpgsm to support X.509 certificates

Git: Please allow to use gpgsm to support X.509 certificates

[Schittli Thomas]

Dear Git community

last night, brian m. Carlson explained, that "Git wants a key that can be used by GnuPG" and therefore X.509 certificates are not supported.

As you probably know, since 3 years gpg supports X.509 - unfortunately, gpg does not automatically detect X.509 certificates and we have to use gpgsm instead of gpg.
The good thing: for identical functions, the command line arguments are identical :-)

Therefore: please allow to configure git, so that it can use gpg or gpgsm.
Or even better: if gpg fails, then please automatically try gpgsm :-)


It works perfectly, I just replaced gpg.exe by gpgsm.exe:

1. Copied all missing *.dll and *.exe from c:\Program Files (x86)\GNU\GnuPG\ to c:\Program Files (x86)\Git\bin\
2. renamed c:\Program Files (x86)\Git\bin\gpg.exe to c:\Program Files (x86)\Git\bin\gpg_.exe
3. renamed c:\Program Files (x86)\Git\bin\gpgsm.exe to c:\Program Files (x86)\Git\bin\gpg.exe
4. Imported the X.509 Certificate
5. signed a commit:
    $ git commit -S -m 'Test commit of foo'
    gpgsm: DBG: adding certificates at level -2
    gpgsm: signature created
    [master dd5145a] Test commit of foo
     1 file changed, 0 insertions(+), 0 deletions(-)
     create mode 100644 test
6. Tested the signature
    $ git log --show-signature
    commit dd5145aabac18f6a2fb2cd0d4a30b5064ef4c04a
    gpgsm: Signature made 2014-04-19 10:34:53 using certificate ID 0x12345678^M
    gpgsm: Good signature from "/CN=xxx/O=xxx/L=xxxl/ST=xxx/C=xx/EMail=xxx@xxx.xx"^M
    Author: tom xxx@xxx.xx
    Date:   Sat Apr 19 12:34:53 2014 +0200
        Test commit of foo
    commit b89934b6e3a86343be740f7a5a1fe446e572b5dd
    Author: tom xxx@xxx.xx
    Date:   Fri Apr 18 23:09:47 2014 +0200
        Init


Thanks a lot for this really great tool!!

Kind regards,
Tom



On Fri, Apr 18, 2014 at 10:04:50PM +0200, Thomas Schittli wrote:
> We already have trusted Certificates from a CA. Can we use them
> instead of an additional PGP key?

Git wants a key that can be used by GnuPG, and X.509 certificates can't
be.  It invokes the gpg binary that's in your path, so X.509 integration
isn't possible unless gpg learns about it.

> We already have:
> - s/mime certificate
> - web server ssl/tls certificate
> - XMPP Jabber ssl/tls certificate
> - Object Code Signing certificate
>  
> Or if we have to use a new pgp key: can we sign it using any of our
> certificates?

Only in the sense that you can sign any arbitrary piece of text or data
with your certificates.

-- 
brian m. carlson / brian with sandals: Houston, Texas, US
+1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only
OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187

Re: Git: Please allow to use gpgsm to support X.509 certificates

[John Keeping]

On Sat, Apr 19, 2014 at 11:03:07AM +0000, Schittli Thomas wrote:
> last night, brian m. Carlson explained, that "Git wants a key that can
> be used by GnuPG" and therefore X.509 certificates are not supported.
> 
> As you probably know, since 3 years gpg supports X.509 -
> unfortunately, gpg does not automatically detect X.509 certificates
> and we have to use gpgsm instead of gpg.
> The good thing: for identical functions, the command line arguments are identical :-)
> 
> Therefore: please allow to configure git, so that it can use gpg or gpgsm.
> Or even better: if gpg fails, then please automatically try gpgsm :-)

Have you tried `git config gpg.program gpgsm`?

AW: Git: Please allow to use gpgsm to support X.509 certificates

[Schittli Thomas]

Hi John,

> Have you tried `git config gpg.program gpgsm`?

wau, thanks a lot for this hint!, it works :-)

I think a "seamless" integration for all certificate-types would be better, 
but I try to motivate GnuPG to merge the function of gpgsm.exe into gpg.exe.
This would give a great benefit for all applications using GnuPG.

Thanks a lot,
kind regards,
Tom



________________________________________
Von: git-owner@vger.kernel.org [git-owner@vger.kernel.org]" im Auftrag von "John Keeping [john@keeping.me.uk]
Gesendet: Samstag, 19. April 2014 17:19
An: Schittli Thomas
Cc: git@vger.kernel.org
Betreff: Re: Git: Please allow to use gpgsm to support X.509 certificates

On Sat, Apr 19, 2014 at 11:03:07AM +0000, Schittli Thomas wrote:
> last night, brian m. Carlson explained, that "Git wants a key that can
> be used by GnuPG" and therefore X.509 certificates are not supported.
>
> As you probably know, since 3 years gpg supports X.509 -
> unfortunately, gpg does not automatically detect X.509 certificates
> and we have to use gpgsm instead of gpg.
> The good thing: for identical functions, the command line arguments are identical :-)
>
> Therefore: please allow to configure git, so that it can use gpg or gpgsm.
> Or even better: if gpg fails, then please automatically try gpgsm :-)

Have you tried `git config gpg.program gpgsm`?