Re: [RFE] Signing using SSL

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 16.03.2022 10:34, rsbecker@xxxxxxxxxxxxx wrote:
Following up on our IRC discussion on Monday, I have had a request to
support signing git commits and tags with SSL certificates instead of
SSH/GPG. The organization is heavily invested in SSL infrastructure, so they
want to go down that path.

The basic technique for doing this is, for example:

openssl dgst -sha256 -sign key -out content.sha256 signature.txt -passin
passphrase

There is a pre-step to compute the sha256, in this example, into a file
provided to openssl. We could use openssl to compute the hash also.

Verification is a bit different than what SSH or GPG does:

openssl dgst -sha256 -verify  <(openssl x509 -in certificate -pubkey -noout)
-signature sign.txt.sha256 signature.txt

and reports either

Verified OK
Or
Verification Failure

It does not look like completion codes are consistently involved.

This also does look structurally different than both GPG and SSH and more
work to set up. It may be possible to provide wrappers and pretend we are in
SSH, but I'm not sure that is the right path to take.

Any pointers on how this might be done in existing git infrastructure, or
should I look into making this work in code? Sorry to say that the
documentation is not that clear on this.

Why not gpgsm? It can deal with x509 certs and is already supported. I am using this to do s/mime signing/encryption with an yubikey hardware token but static certs/keys should be even simpler. However I'm not sure how good this works on other platforms.

Take a look into the GPGSM prereq in t/lib-gpg.sh for a few hints on how to set this up.



[Index of Archives]     [Linux Kernel Development]     [Gcc Help]     [IETF Annouce]     [DCCP]     [Netdev]     [Networking]     [Security]     [V4L]     [Bugtraq]     [Yosemite]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux SCSI]     [Fedora Users]

  Powered by Linux