S/MIME X509 verification of commits
Problem to solve
Signing Git commits using Public Key Infrastructure (PKI) using a public certificate authority or a corporate CA may be more convenient that GnuPG in enterprise environments. GitLab should implement support.
Developers, end consumers.
At the moment on GitHub I am using X509 signing verification. This was introduced in GIT 2.19 as a option.
I would envision it be similar to the GPG verification, where user will tell GIT about their signing key and use a SMime client such as https://github.com/glennawatson/GitSMimeSign
git config --global gpg.x509.program gitsmimesign git config --global gpg.format x509
The client will then based on an X509 certificate store sign the commit.
Then in the same UI you use for GPG verification, you would check the commit against a CA (such as the mozilla one which I believe GitHub do) and then show the Subject and Issuer subject of the certificate.
At the moment when I import projects over from GitHub they aren't showing my verified commits due to a lot of them being X509 S/Mime signed.
I would use something like this
require 'optparse' require 'openssl' include OpenSSL options = ARGV.getopts("c:k:C:") ca_path = options["C"] data = $stdin.read store = X509::Store.new store.add_path(ca_path) p7sig = PKCS7::read_smime(data) if p7sig.verify(, store) puts p7sig.data end
This would read in the Mozilla CA and then verify the signature.
I mostly got the above sample from the OpenSSL ruby examples.
The verification tab would contain "Verified" with similar text as below, or "Unverified" if the signing details could not be verified against the certificate store.
The sample text would be:
This commit was signed with a verified signature. username FirstName Certificate subject CN Certificate Name emailAddress [email protected] Certificate issuer CN GlobalSign PersonalSign 2 CA - SHA256 - G3 O GlobalSign nv-sa
Permissions and Security
It would be consistent with the GPG existing permissions, it would read in the header details from GIT and run a verify against it.
You would need to add documentation similar to what GitHub has in regards to how to run a git smime signer/verify utility.
An example of their documentation is at https://help.github.com/en/enterprise/2.16/user/articles/telling-git-about-your-signing-key#telling-git-about-your-x509-key-1
Potential extra performance hit. Time factor for verification.