Last active
November 16, 2024 23:11
-
-
Save skarllot/78619595bfbd50ab1d30d37b9a66f8e5 to your computer and use it in GitHub Desktop.
Sign Git commits and tags with X.509 certificates
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # 1. Get a free S/MIME e-mail certificate | |
| # Actalis: https://extrassl.actalis.it/portal/uapub/freemail?lang=en | |
| # 2. GNU privacy guard - S/MIME version | |
| sudo apt install gpgsm | |
| # 3. Import PKCS12 certificate | |
| gpgsm --import certificate_s_mime.p12 | |
| # 4. Set your signing key | |
| signingkey=$( gpgsm --list-secret-keys | egrep '(key usage|ID)' | grep -B 1 digitalSignature | awk '/ID/ {print $2}' ) | |
| git config --global user.signingkey $signingkey | |
| git config --global gpg.format x509 | |
| # 5. Add root certificate as trusted and disable CRL check | |
| gpgsm --list-keys | |
| echo "<fingerprint_of_certificate> S" >> ~/.gnupg/trustlist.txt | |
| echo "disable-crl-checks" >> ~/.gnupg/gpgsm.conf | |
| gpgconf --reload gpg-agent | |
| gpgsm --list-keys --with-validation | |
| # 6. Sign and verify commits and tags | |
| git config --global commit.gpgsign true | |
| git config --global tag.gpgsign true |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # 1. Get a free S/MIME e-mail certificate | |
| # Actalis: https://extrassl.actalis.it/portal/uapub/freemail?lang=en | |
| # 2. Install S/MIME Sign | |
| # https://github.com/github/smimesign/releases | |
| # | |
| # Download latest stable release | |
| # eg: https://github.com/github/smimesign/releases/download/v0.2.0/smimesign-windows-amd64-v0.2.0.zip | |
| # Unpack to 'C:\Program Files\Github' folder | |
| # 3. Get the ID of your certificate by running | |
| smimesign --list-keys | |
| # 4. Set your signing key (replace <ID> with the certificate ID | |
| git config --global user.signingkey <ID> | |
| # 5. Configure X.509 | |
| git config --global gpg.x509.program 'C:\Program Files\Github\smimesign.exe' | |
| git config --global gpg.format x509 | |
| # 6. Sign and verify commits and tags | |
| git config --global commit.gpgsign true | |
| git config --global tag.gpgsign true |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment