git.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* Git: Please allow to use gpgsm to support X.509 certificates
@ 2014-04-19 11:03 Schittli Thomas
  2014-04-19 15:19 ` John Keeping
  0 siblings, 1 reply; 3+ messages in thread
From: Schittli Thomas @ 2014-04-19 11:03 UTC (permalink / raw)
  To: git@vger.kernel.org

Dear Git community

last night, brian m. Carlson explained, that "Git wants a key that can be used by GnuPG" and therefore X.509 certificates are not supported.

As you probably know, since 3 years gpg supports X.509 - unfortunately, gpg does not automatically detect X.509 certificates and we have to use gpgsm instead of gpg.
The good thing: for identical functions, the command line arguments are identical :-)

Therefore: please allow to configure git, so that it can use gpg or gpgsm.
Or even better: if gpg fails, then please automatically try gpgsm :-)


It works perfectly, I just replaced gpg.exe by gpgsm.exe:

1. Copied all missing *.dll and *.exe from c:\Program Files (x86)\GNU\GnuPG\ to c:\Program Files (x86)\Git\bin\
2. renamed c:\Program Files (x86)\Git\bin\gpg.exe to c:\Program Files (x86)\Git\bin\gpg_.exe
3. renamed c:\Program Files (x86)\Git\bin\gpgsm.exe to c:\Program Files (x86)\Git\bin\gpg.exe
4. Imported the X.509 Certificate
5. signed a commit:
    $ git commit -S -m 'Test commit of foo'
    gpgsm: DBG: adding certificates at level -2
    gpgsm: signature created
    [master dd5145a] Test commit of foo
     1 file changed, 0 insertions(+), 0 deletions(-)
     create mode 100644 test
6. Tested the signature
    $ git log --show-signature
    commit dd5145aabac18f6a2fb2cd0d4a30b5064ef4c04a
    gpgsm: Signature made 2014-04-19 10:34:53 using certificate ID 0x12345678^M
    gpgsm: Good signature from "/CN=xxx/O=xxx/L=xxxl/ST=xxx/C=xx/EMail=xxx@xxx.xx"^M
    Author: tom xxx@xxx.xx
    Date:   Sat Apr 19 12:34:53 2014 +0200
        Test commit of foo
    commit b89934b6e3a86343be740f7a5a1fe446e572b5dd
    Author: tom xxx@xxx.xx
    Date:   Fri Apr 18 23:09:47 2014 +0200
        Init


Thanks a lot for this really great tool!!

Kind regards,
Tom



On Fri, Apr 18, 2014 at 10:04:50PM +0200, Thomas Schittli wrote:
> We already have trusted Certificates from a CA. Can we use them
> instead of an additional PGP key?

Git wants a key that can be used by GnuPG, and X.509 certificates can't
be.  It invokes the gpg binary that's in your path, so X.509 integration
isn't possible unless gpg learns about it.

> We already have:
> - s/mime certificate
> - web server ssl/tls certificate
> - XMPP Jabber ssl/tls certificate
> - Object Code Signing certificate
>  
> Or if we have to use a new pgp key: can we sign it using any of our
> certificates?

Only in the sense that you can sign any arbitrary piece of text or data
with your certificates.

-- 
brian m. carlson / brian with sandals: Houston, Texas, US
+1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only
OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2014-04-19 18:25 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-04-19 11:03 Git: Please allow to use gpgsm to support X.509 certificates Schittli Thomas
2014-04-19 15:19 ` John Keeping
2014-04-19 18:24   ` AW: " Schittli Thomas

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).