Dear Git community last night, brian m. Carlson explained, that "Git wants a key that can be used by GnuPG" and therefore X.509 certificates are not supported.
As you probably know, since 3 years gpg supports X.509 - unfortunately, gpg does not automatically detect X.509 certificates and we have to use gpgsm instead of gpg. The good thing: for identical functions, the command line arguments are identical :-) Therefore: please allow to configure git, so that it can use gpg or gpgsm. Or even better: if gpg fails, then please automatically try gpgsm :-) It works perfectly, I just replaced gpg.exe by gpgsm.exe: 1. Copied all missing *.dll and *.exe from c:\Program Files (x86)\GNU\GnuPG\ to c:\Program Files (x86)\Git\bin\ 2. renamed c:\Program Files (x86)\Git\bin\gpg.exe to c:\Program Files (x86)\Git\bin\gpg_.exe 3. renamed c:\Program Files (x86)\Git\bin\gpgsm.exe to c:\Program Files (x86)\Git\bin\gpg.exe 4. Imported the X.509 Certificate 5. signed a commit: $ git commit -S -m 'Test commit of foo' gpgsm: DBG: adding certificates at level -2 gpgsm: signature created [master dd5145a] Test commit of foo 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 test 6. Tested the signature $ git log --show-signature commit dd5145aabac18f6a2fb2cd0d4a30b5064ef4c04a gpgsm: Signature made 2014-04-19 10:34:53 using certificate ID 0x12345678^M gpgsm: Good signature from "/CN=xxx/O=xxx/L=xxxl/ST=xxx/C=xx/EMail=x...@xxx.xx"^M Author: tom x...@xxx.xx Date: Sat Apr 19 12:34:53 2014 +0200 Test commit of foo commit b89934b6e3a86343be740f7a5a1fe446e572b5dd Author: tom x...@xxx.xx Date: Fri Apr 18 23:09:47 2014 +0200 Init Thanks a lot for this really great tool!! Kind regards, Tom On Fri, Apr 18, 2014 at 10:04:50PM +0200, Thomas Schittli wrote: > We already have trusted Certificates from a CA. Can we use them > instead of an additional PGP key? Git wants a key that can be used by GnuPG, and X.509 certificates can't be. It invokes the gpg binary that's in your path, so X.509 integration isn't possible unless gpg learns about it. > We already have: > - s/mime certificate > - web server ssl/tls certificate > - XMPP Jabber ssl/tls certificate > - Object Code Signing certificate > > Or if we have to use a new pgp key: can we sign it using any of our > certificates? Only in the sense that you can sign any arbitrary piece of text or data with your certificates. -- brian m. carlson / brian with sandals: Houston, Texas, US +1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187-- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html