Skip to content
Snippets Groups Projects

feat: x509 signed commits using openssl

Merged Roger Meier requested to merge siemens/gitlab:feat/x509-signed-commits into master
1 file
+ 64
0
Compare changes
  • Side-by-side
  • Inline
---
type: concepts, howto
---
# Signing commits with x509
## How GitLab handles x509
GitLab uses its own certificate store and therefore defines the trust chain.
For a commit to be *verified* by GitLab:
- The *keyUsage* attribute of the signing certificate must contain *Digital Signature*
- The committer's email address must match the signing certificate email
- The Certificate Authority has to be trusted by the GitLab instance
> There is no certificate revocation list check in place at the moment.
## Setup x509 code signing
Your git client should be >= 2.19.0.
> Just replace `--local` with `--global` below to configure it globally
### Linux
configure git to use your key for signing
```sh
signingkey = $( gpgsm --list-secret-keys | egrep '(key usage|ID)' | grep -B 1 digitalSignature | awk '/ID/ {print $2}' )
git config --local user.signingkey $signingkey
git config --local gpg.format x509
```
### Windows and MacOS
Install [smimesign](https://github.com/github/smimesign) by downloading the
installer or via `brew install smimesign` on MacOS.
Get the ID of your certificate with `smimesign --list-keys` and set your
signingkey `git config --local user.signingkey ID`, then configure x509:
```sh
git config --local gpg.x509.program smimesign
git config --local gpg.format x509
```
## Sign your code with x509
You can now just use the basic git command to verify and sign, see also
https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work
### Verify
```sh
git tag -v v0.2
git log --show-signature
```
## Sign
```sh
git commit -S
```
Loading