On March 16, 2022 12:27 PM, Fabian Stelzer wrote: >On 16.03.2022 10:34, rsbecker@xxxxxxxxxxxxx wrote: >>Following up on our IRC discussion on Monday, I have had a request to >>support signing git commits and tags with SSL certificates instead of >>SSH/GPG. The organization is heavily invested in SSL infrastructure, so >>they want to go down that path. >> >>The basic technique for doing this is, for example: >> >>openssl dgst -sha256 -sign key -out content.sha256 signature.txt >>-passin passphrase >> >>There is a pre-step to compute the sha256, in this example, into a file >>provided to openssl. We could use openssl to compute the hash also. >> >>Verification is a bit different than what SSH or GPG does: >> >>openssl dgst -sha256 -verify <(openssl x509 -in certificate -pubkey >>-noout) -signature sign.txt.sha256 signature.txt >> >>and reports either >> >>Verified OK >>Or >>Verification Failure >> >>It does not look like completion codes are consistently involved. >> >>This also does look structurally different than both GPG and SSH and >>more work to set up. It may be possible to provide wrappers and pretend >>we are in SSH, but I'm not sure that is the right path to take. >> >>Any pointers on how this might be done in existing git infrastructure, >>or should I look into making this work in code? Sorry to say that the >>documentation is not that clear on this. > >Why not gpgsm? It can deal with x509 certs and is already supported. I am using >this to do s/mime signing/encryption with an yubikey hardware token but static >certs/keys should be even simpler. However I'm not sure how good this works on >other platforms. > >Take a look into the GPGSM prereq in t/lib-gpg.sh for a few hints on how to set >this up. Good idea but this is a non-starter. I have a limit of GPG 1.4, which only has the single legacy object. GPG added a dependency to mmap, which is not available on any of my platforms. That was one reason we were so happy to have SSH support.
