Sign Git Commits

Enterprise

Instead of a dedicated Git Signer, SignServer leverages OpenPGP Signer to generate signatures and SignWrapper-GPG to integrate the signatures into the Debian signing workflow. Git can use the SignWrapper-GPG for signing commits and tags.

The SignWrapper-GPG is a script that wraps SignClient and behaves like a gpg (GnuPG) command, allowing git tool to use signwrapper-gpg instead of gpg.

The Signers use OpenPGP public keys instead of X.509 certificates. The public key can instead be obtained from the Worker's status output. Additionally, the Generate CSR functionality lets you associate a User ID with the key and store it in the PGPPUBLICKEY property. When using RSA keys for Git signing, this step is required to produce the correct key type.


Prerequisite: OpenPGP Signer Configured

In the Set up OpenPGP Signer, follow the steps to configure a OpenPGP Signer or OpenPGP Plain Signer, add User ID and certification, and generate a revocation certificate.


Set up Git for Signing using SignWrapper-GPG

The SignServer SignWrapper-GPG replaces the gpg (GnuPG) command in the git signing workflow by routing requests through SignClient.

The following components need to be configured:

Configure SignWrapper-GPG

SignWrapper-GPG needs to know where SignClient is located. If signwrapper-gpg is not kept in the SignClient folder, set one of the following environment variables:

  • SIGNCLIENT_CMD: Set to the full path of the bin/signclient script, or

  • SIGNCLIENT_HOME or SIGNSERVER_HOME: Set to the root folder of the SignClient distribution.

Configure SignClient

Set the following environment variables so SignWrapper-GPG can connect to your SignServer instance:

Variable

Description

SIGNCLIENT_HOSTS

Value for the -hosts HOSTS SignClient parameter is the hostname or IP-address of the SignServer host or a comma separated list of hosts.

Example: signserver1.example.com

SIGNCLIENT_PORT

Value for the -port PORT SignClient parameter is the TCP port on the SignServer host to use.

Example: 8080

SIGNCLIENT_PARAMS

(Optional) Value for any extra parameters to put on the SignClient command line.

Example: -truststore TRUSTSTORE -truststorepwd PWD

Configure Git

Configure Git to use the signwrapper-gpg for signing:

GIT_REPO=<path to local repo>
git -C $GIT_REPO config user.email "user@organization.com"
git -C $GIT_REPO config user.name "Test User"
git -C $GIT_REPO config gpg.program $SIGNSERVER_HOME/bin/signwrapper-gpg
git -C $GIT_REPO config user.signingkey OpenPGPSigner

For more details on the command, see SignWrapper-GPG.


Sign Git Commits and Tags

With Git configured to use SignWrapper-GPG, use the standard Git tooling to sign:

echo "Test text" > $GIT_REPO/test.txt
git -C $GIT_REPO add test.txt
git -C $GIT_REPO commit -S -m "Test signed commit"
git -C $GIT_REPO tag -s -m "Test tag" testtag

When the command completes, the commit and tag contains the embedded signature.


Verify the Signature

Use Git to verify the signatures.

If the Signer’s public key is not yet imported to the local GPG keyring, import it first:

  1. Save the public key (from PGPPUBLICKEY property) as signer001-pub.asc.

  2. Import the key to GPG keyring:

    gpg --import signer001-pub.asc
    

Verify package signature:

git -C $GIT_REPO verify-commit HEAD
git -C $GIT_REPO tag -v testtag

(Optional) Distribute the Public Key

The OpenPGP public key can be published to online key servers or distributed to clients by other means.