Enterprise
Instead of a dedicated Git Signer, SignServer leverages OpenPGP Signer to generate signatures and SignWrapper-GPG to integrate the signatures into the Debian signing workflow. Git can use the SignWrapper-GPG for signing commits and tags.
The SignWrapper-GPG is a script that wraps SignClient and behaves like a gpg (GnuPG) command, allowing git tool to use signwrapper-gpg instead of gpg.
The Signers use OpenPGP public keys instead of X.509 certificates. The public key can instead be obtained from the Worker's status output. Additionally, the Generate CSR functionality lets you associate a User ID with the key and store it in the PGPPUBLICKEY property. When using RSA keys for Git signing, this step is required to produce the correct key type.
Prerequisite: OpenPGP Signer Configured
In the Set up OpenPGP Signer, follow the steps to configure a OpenPGP Signer or OpenPGP Plain Signer, add User ID and certification, and generate a revocation certificate.
Set up Git for Signing using SignWrapper-GPG
The SignServer SignWrapper-GPG replaces the gpg (GnuPG) command in the git signing workflow by routing requests through SignClient.
The following components need to be configured:
Configure SignWrapper-GPG
SignWrapper-GPG needs to know where SignClient is located. If signwrapper-gpg is not kept in the SignClient folder, set one of the following environment variables:
-
SIGNCLIENT_CMD: Set to the full path of thebin/signclientscript, or -
SIGNCLIENT_HOMEorSIGNSERVER_HOME: Set to the root folder of the SignClient distribution.
Configure SignClient
Set the following environment variables so SignWrapper-GPG can connect to your SignServer instance:
|
Variable |
Description |
|---|---|
|
|
Value for the Example: |
|
|
Value for the Example: |
|
|
(Optional) Value for any extra parameters to put on the SignClient command line. Example: |
Configure Git
Configure Git to use the signwrapper-gpg for signing:
GIT_REPO=<path to local repo>
git -C $GIT_REPO config user.email "user@organization.com"
git -C $GIT_REPO config user.name "Test User"
git -C $GIT_REPO config gpg.program $SIGNSERVER_HOME/bin/signwrapper-gpg
git -C $GIT_REPO config user.signingkey OpenPGPSigner
For more details on the command, see SignWrapper-GPG.
Sign Git Commits and Tags
With Git configured to use SignWrapper-GPG, use the standard Git tooling to sign:
echo "Test text" > $GIT_REPO/test.txt
git -C $GIT_REPO add test.txt
git -C $GIT_REPO commit -S -m "Test signed commit"
git -C $GIT_REPO tag -s -m "Test tag" testtag
When the command completes, the commit and tag contains the embedded signature.
Verify the Signature
Use Git to verify the signatures.
If the Signer’s public key is not yet imported to the local GPG keyring, import it first:
-
Save the public key (from
PGPPUBLICKEYproperty) assigner001-pub.asc. -
Import the key to GPG keyring:
gpg --import signer001-pub.asc
Verify package signature:
git -C $GIT_REPO verify-commit HEAD
git -C $GIT_REPO tag -v testtag
(Optional) Distribute the Public Key
The OpenPGP public key can be published to online key servers or distributed to clients by other means.