On March 16, 2022 10:34 AM, I forgot to mention: >Following up on our IRC discussion on Monday, I have had a request to support >signing git commits and tags with SSL certificates instead of SSH/GPG. The >organization is heavily invested in SSL infrastructure, so they want to go down that >path. > >The basic technique for doing this is, for example: > >openssl dgst -sha256 -sign key -out content.sha256 signature.txt -passin >passphrase > >There is a pre-step to compute the sha256, in this example, into a file provided to >openssl. We could use openssl to compute the hash also. > >Verification is a bit different than what SSH or GPG does: > >openssl dgst -sha256 -verify <(openssl x509 -in certificate -pubkey -noout) - >signature sign.txt.sha256 signature.txt > >and reports either > >Verified OK >Or >Verification Failure > >It does not look like completion codes are consistently involved. > >This also does look structurally different than both GPG and SSH and more work to >set up. It may be possible to provide wrappers and pretend we are in SSH, but I'm >not sure that is the right path to take. > >Any pointers on how this might be done in existing git infrastructure, or should I >look into making this work in code? Sorry to say that the documentation is not that >clear on this. It looks like there probably needs to be come configuration support including things like httpVerify=false for self-signed certs, certificate store paths, etc., to support SSL infrastructure.
