Skip to content

S/MIME X509 verification of commits

Problem to solve

Signing Git commits using Public Key Infrastructure (PKI) using a public certificate authority or a corporate CA may be more convenient that GnuPG in enterprise environments. GitLab should implement support.

Intended users

Developers, end consumers.

Further details

At the moment on GitHub I am using X509 signing verification. This was introduced in GIT 2.19 as a option.

I would envision it be similar to the GPG verification, where user will tell GIT about their signing key and use a SMime client such as https://github.com/glennawatson/GitSMimeSign

git config --global gpg.x509.program gitsmimesign
git config --global gpg.format x509

The client will then based on an X509 certificate store sign the commit.

Then in the same UI you use for GPG verification, you would check the commit against a CA (such as the mozilla one which I believe GitHub do) and then show the Subject and Issuer subject of the certificate.

At the moment when I import projects over from GitHub they aren't showing my verified commits due to a lot of them being X509 S/Mime signed.

Proposal

I would use something like this

require 'optparse'
require 'openssl'
include OpenSSL

options = ARGV.getopts("c:k:C:")

ca_path   = options["C"]

data = $stdin.read

store = X509::Store.new
store.add_path(ca_path)
p7sig = PKCS7::read_smime(data)
if p7sig.verify([], store)
  puts p7sig.data
end

This would read in the Mozilla CA and then verify the signature.

I mostly got the above sample from the OpenSSL ruby examples.

The verification tab would contain "Verified" with similar text as below, or "Unverified" if the signing details could not be verified against the certificate store.

The sample text would be:

This commit was signed with a verified signature.
username
FirstName
Certificate subject
CN 	Certificate Name
emailAddress 	user@email.address.com
Certificate issuer
CN 	GlobalSign PersonalSign 2 CA - SHA256 - G3
O 	GlobalSign nv-sa

Permissions and Security

It would be consistent with the GPG existing permissions, it would read in the header details from GIT and run a verify against it.

Documentation

You would need to add documentation similar to what GitHub has in regards to how to run a git smime signer/verify utility.

An example of their documentation is at https://help.github.com/en/enterprise/2.16/user/articles/telling-git-about-your-signing-key#telling-git-about-your-x509-key-1

Testing

Potential extra performance hit. Time factor for verification.

What does success look like, and how can we measure that?

Links / references

Edited by James Ramsay (ex-GitLab)