* signing commits with openssl/PKCS#11 @ 2012-10-22 13:38 Mat Arge 2012-10-24 9:46 ` Michael J Gruber 2012-10-25 8:02 ` Brandon Casey 0 siblings, 2 replies; 5+ messages in thread From: Mat Arge @ 2012-10-22 13:38 UTC (permalink / raw) To: git Hy! I would like to sign each commit with a X.509 certificate and a private key stored on a PKCS#11 token. I assume that that should be possible somehow using a hook which calls openssl. Does somebody know a working implementation of this? cheers Mat ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: signing commits with openssl/PKCS#11 2012-10-22 13:38 signing commits with openssl/PKCS#11 Mat Arge @ 2012-10-24 9:46 ` Michael J Gruber 2012-10-25 9:12 ` Mat Arge 2012-10-25 8:02 ` Brandon Casey 1 sibling, 1 reply; 5+ messages in thread From: Michael J Gruber @ 2012-10-24 9:46 UTC (permalink / raw) To: Mat Arge; +Cc: git Mat Arge venit, vidit, dixit 22.10.2012 15:38: > Hy! > > I would like to sign each commit with a X.509 certificate and a private key > stored on a PKCS#11 token. I assume that that should be possible somehow using > a hook which calls openssl. Does somebody know a working implementation of > this? > > cheers > Mat > In principle, we have an almost pluggable architecture. See for example the latter part of the 2nd post in http://article.gmane.org/gmane.comp.version-control.git/175127 Unless you want to change git itself, you're probably better off storing your non-gpg signatures in a note (or a self-created signed tag). To sign the commit rev, you could sign the output of "git cat-file commit rev" (or of "git rev-parse rev") and store that signature in a note that commit. To verify, you verify the note against the commit. Michael ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: signing commits with openssl/PKCS#11 2012-10-24 9:46 ` Michael J Gruber @ 2012-10-25 9:12 ` Mat Arge 0 siblings, 0 replies; 5+ messages in thread From: Mat Arge @ 2012-10-25 9:12 UTC (permalink / raw) To: git On Wednesday 24. October 2012 11:46:15 Michael J Gruber wrote: > Mat Arge venit, vidit, dixit 22.10.2012 15:38: > > Hy! > > > > I would like to sign each commit with a X.509 certificate and a private > > key > > stored on a PKCS#11 token. I assume that that should be possible somehow > > using a hook which calls openssl. Does somebody know a working > > implementation of this? > > > > cheers > > Mat > > In principle, we have an almost pluggable architecture. See for example > the latter part of the 2nd post in > > http://article.gmane.org/gmane.comp.version-control.git/175127 > > Unless you want to change git itself, you're probably better off storing > your non-gpg signatures in a note (or a self-created signed tag). So, there is no possibility to modify the commit itself via a hook, and add a, say, "opensslsig" instead of a gpgsig tag? > To > sign the commit rev, you could sign the output of "git cat-file commit > rev" (or of "git rev-parse rev") and store that signature in a note that > commit. To verify, you verify the note against the commit. > > Michael But if I crete/modify a signature file while commiting, that file wouldn't be commited itself, so the signatur-file would always be one commit behind. Or am I missing something? I'm quite new to git (or DVCSs in general), so sorry if this is a dumb question. cheers Mat ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: signing commits with openssl/PKCS#11 2012-10-22 13:38 signing commits with openssl/PKCS#11 Mat Arge 2012-10-24 9:46 ` Michael J Gruber @ 2012-10-25 8:02 ` Brandon Casey 2012-10-25 9:15 ` Mat Arge 1 sibling, 1 reply; 5+ messages in thread From: Brandon Casey @ 2012-10-25 8:02 UTC (permalink / raw) To: Mat Arge; +Cc: git On Mon, Oct 22, 2012 at 6:38 AM, Mat Arge <argemat1010@gmail•com> wrote: > Hy! > > I would like to sign each commit with a X.509 certificate and a private key > stored on a PKCS#11 token. I assume that that should be possible somehow using > a hook which calls openssl. Does somebody know a working implementation of > this? Creating signatures from an rsa key on a pkcs11 token should be possible, but gnupg doesn't support pkcs11 for philosophical reasons. You need to use gnupg-pkcs11 which is maintained outside of the gnupg tree. Once you configure gnupg-pkcs11-scd, you'll be able to use git and gpg to sign tags as usual. I configured this a while back for use with CAC cards using the following resources: http://alpha.uwb.edu.pl/map/eToken_gpg_howto.shtml (dead) http://alpha.uwb.edu.pl/amicke/eToken_gpg_howto.shtml (replacement for above?) http://gnupg-pkcs11.sourceforge.net/man.html Try those docs. If you have questions, I'll try to find my notes. -Brandon ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: signing commits with openssl/PKCS#11 2012-10-25 8:02 ` Brandon Casey @ 2012-10-25 9:15 ` Mat Arge 0 siblings, 0 replies; 5+ messages in thread From: Mat Arge @ 2012-10-25 9:15 UTC (permalink / raw) To: git On Thursday 25. October 2012 01:02:33 Brandon Casey wrote: > On Mon, Oct 22, 2012 at 6:38 AM, Mat Arge <argemat1010@gmail•com> wrote: > > Hy! > > > > I would like to sign each commit with a X.509 certificate and a private > > key > > stored on a PKCS#11 token. I assume that that should be possible somehow > > using a hook which calls openssl. Does somebody know a working > > implementation of this? > > Creating signatures from an rsa key on a pkcs11 token should be > possible, but gnupg doesn't support pkcs11 for philosophical reasons. > You need to use gnupg-pkcs11 which is maintained outside of the gnupg > tree. > > Once you configure gnupg-pkcs11-scd, you'll be able to use git and gpg > to sign tags as usual. > > I configured this a while back for use with CAC cards using the > following resources: > > http://alpha.uwb.edu.pl/map/eToken_gpg_howto.shtml (dead) > http://alpha.uwb.edu.pl/amicke/eToken_gpg_howto.shtml (replacement > for above?) > http://gnupg-pkcs11.sourceforge.net/man.html > > Try those docs. If you have questions, I'll try to find my notes. > > -Brandon Thanks for the tip, I will try them (though the appear to be very outdated). Do you know, if gnupg-pkcs11-scd is able to cooperate with the standard pcscd from pcsc-lite, or is a one-or-the-other situation? cheers Mat ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2012-10-25 9:15 UTC | newest] Thread overview: 5+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2012-10-22 13:38 signing commits with openssl/PKCS#11 Mat Arge 2012-10-24 9:46 ` Michael J Gruber 2012-10-25 9:12 ` Mat Arge 2012-10-25 8:02 ` Brandon Casey 2012-10-25 9:15 ` Mat Arge
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox