Skip to content
A Git SMime signing tool which will sign individual Git commits.
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
src
.editorconfig
.gitattributes
.gitignore
LICENSE
README.md
azure-pipelines.yml
version.json

README.md

GitSMimeSign

A dotnet global tool to sign commits from the GIT program. Supports GPGSM style output.

It is based off SMimeSign but wrote this program to interop better with the Yubikey.

How to use

You need a personal SMIME X.509 certificate from a authorised provider.

Install the global tool

Install using the dotnet global tool utility

dotnet tool install -g gitsmimesign

Configure git

The following is how to install with GIT versions 2.19 or newer.

Configure globally

git config --global gpg.x509.program gitsmimesign
git config --global gpg.format x509

If you want to always use sign commits by default set:

git config --global commit.gpgsign true

Configure for local repository only

To configure only a local repository to use the gitsmimesign.

cd \to\path\of\repository
git config --local gpg.x509.program gitsmimesign
git config --local gpg.format x509

Optional: Explictly specify X.509 certificate

If you have multiple X.509 certificates that match your identiy, or would otherwise like to use an alternate X.509 certificate, git can be configured to be aware of this.

Start by listing the available keys:

gitsmimesign --list-keys

Identify the desired X.509 certificate from the list, and note the Certificate ID.

Configure globally

git config --global user.signingkey CERTIFICATE-ID-HERE

Configure for local repository only

cd \to\path\of\repository
git config --local user.signingkey CERTIFICATE-ID-HERE

Optional: Set time authority URL

Because git does not pass a RFC3161 time stamp authority URL you can set one in the configuration file

Create a file in your user profile directory called .gitsmimesignconfig, add the contents modified with your timestamp authority url:

[Certificate]
TimeAuthorityUrl=http://url.to/timestamp/authority

Optional: Configure Yubikey

Export out a PFX file from the X.509 certificate. Make a backup in a safe location of this file, if someone gets it they can pretend to be you.

Optional: Disable telemetry

We track non-personal information to Application Insights, this can be turned off in the case for example your employer disallows telemetry.

In the .gitsmimesignconfig file add the following:

[Telemetry]
Disable=true

Windows

On windows you can use a Yubikey Mini Smart Driver but I found the YubiKey manager approach detailed below easier.

I am assuming a pin policy of "once" per session, and no "touch" policy, there are other options. I am also installing into slot 9c which is the signing slot.

  1. Install the YubiKey manager.
  2. Open a command line.
  3. Run cd "%PROGRAMFILES%\Yubico\YubiKey Manager"
  4. Change your pin from the default (if you haven't already) and change from the default pin 123456. Run .\ykman piv change-pin -P 123456 -n <new pin>
  5. Run: .\ykman piv import-key --pin-policy=default 9d C:\path\to\your.pfx
  6. When prompted, enter the PIN, management key, and password for the PFX.
  7. Run: .\ykman piv import-certificate 9d C:\path\to\your.pfx
  8. When prompted, enter the PIN, management key, and password for the PFX.
  9. You may need to logout of your profile if the keys don't show up in SMIMESign below.

Mac

  1. Install YubiKey Manager
    brew install ykman
  2. Change your pin from the default (if you haven't already) and change from the default pin 123456. Run ykman piv change-pin -P 123456 -n <new pin>
  3. Run: ykman piv import-key --pin-policy=default 9d /path/to/your.pfx
  4. When prompted, enter the PIN, management key, and password for the PFX.
  5. Run: ykman piv import-certificate 9d /path/to/your.pfx
  6. When prompted, enter the PIN, management key, and password for the PFX.
  7. You may need to logout of your profile if the keys don't show up in SMIMESign below.

Linux Ubuntu

  1. Install YubiKey manager
    sudo apt-add-repository ppa:yubico/stable
    sudo apt update
    sudo apt install yubikey-manager-qt
  2. Change your pin from the default (if you haven't already) and change from the default pin 123456. Run ykman piv change-pin -P 123456 -n <new pin>
  3. Run: ykman piv import-key --pin-policy=default 9d /path/to/your.pfx
  4. When prompted, enter the PIN, management key, and password for the PFX.
  5. Run: ykman piv import-certificate 9d /path/to/your.pfx
  6. When prompted, enter the PIN, management key, and password for the PFX.
  7. You may need to logout of your profile if the keys don't show up in SMIMESign below.
You can’t perform that action at this time.