Dear Git community

last night, brian m. Carlson explained, that "Git wants a key that can be used 
by GnuPG" and therefore X.509 certificates are not supported.

As you probably know, since 3 years gpg supports X.509 - unfortunately, gpg 
does not automatically detect X.509 certificates and we have to use gpgsm 
instead of gpg.
The good thing: for identical functions, the command line arguments are 
identical :-)

Therefore: please allow to configure git, so that it can use gpg or gpgsm.
Or even better: if gpg fails, then please automatically try gpgsm :-)


It works perfectly, I just replaced gpg.exe by gpgsm.exe:

1. Copied all missing *.dll and *.exe from c:\Program Files (x86)\GNU\GnuPG\ to 
c:\Program Files (x86)\Git\bin\
2. renamed c:\Program Files (x86)\Git\bin\gpg.exe to c:\Program Files 
(x86)\Git\bin\gpg_.exe
3. renamed c:\Program Files (x86)\Git\bin\gpgsm.exe to c:\Program Files 
(x86)\Git\bin\gpg.exe
4. Imported the X.509 Certificate
5. signed a commit:
    $ git commit -S -m 'Test commit of foo'
    gpgsm: DBG: adding certificates at level -2
    gpgsm: signature created
    [master dd5145a] Test commit of foo
     1 file changed, 0 insertions(+), 0 deletions(-)
     create mode 100644 test
6. Tested the signature
    $ git log --show-signature
    commit dd5145aabac18f6a2fb2cd0d4a30b5064ef4c04a
    gpgsm: Signature made 2014-04-19 10:34:53 using certificate ID 0x12345678^M
    gpgsm: Good signature from 
"/CN=xxx/O=xxx/L=xxxl/ST=xxx/C=xx/EMail=x...@xxx.xx"^M
    Author: tom x...@xxx.xx
    Date:   Sat Apr 19 12:34:53 2014 +0200
        Test commit of foo
    commit b89934b6e3a86343be740f7a5a1fe446e572b5dd
    Author: tom x...@xxx.xx
    Date:   Fri Apr 18 23:09:47 2014 +0200
        Init


Thanks a lot for this really great tool!!

Kind regards,
Tom



On Fri, Apr 18, 2014 at 10:04:50PM +0200, Thomas Schittli wrote:
> We already have trusted Certificates from a CA. Can we use them
> instead of an additional PGP key?

Git wants a key that can be used by GnuPG, and X.509 certificates can't
be.  It invokes the gpg binary that's in your path, so X.509 integration
isn't possible unless gpg learns about it.

> We already have:
> - s/mime certificate
> - web server ssl/tls certificate
> - XMPP Jabber ssl/tls certificate
> - Object Code Signing certificate
>  
> Or if we have to use a new pgp key: can we sign it using any of our
> certificates?

Only in the sense that you can sign any arbitrary piece of text or data
with your certificates.

-- 
brian m. carlson / brian with sandals: Houston, Texas, US
+1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only
OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Reply via email to