github/smimesign github/smimesign

  • Stars
    star
    519
  • Rank 81,883 (Top 2 %)
  • Language
    Go
  • License
    MIT License
  • Created over 6 years ago
  • Updated 11 months ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
github/smimesign
github

github

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

An S/MIME signing utility for use with Git

smimesign (S/MIME Sign)

PkgGoDev

Smimesign is an S/MIME signing utility for macOS and Windows that is compatible with Git. This allows developers to sign their Git commits and tags using X.509 certificates issued by public certificate authorities or their organization's internal certificate authority. Smimesign uses keys and certificates already stored in the macOS Keychain or the Windows Certificate Store.

This project is pre-1.0, meaning that APIs and functionality may change without warning.

This package also contains reusable libraries in nested packages:

Contributing

Different organizations do PKI differently and we weren't able to test everyone's setup. Contributions making this tool work better for your organization are welcome. See the contributing docs for more information on how to get involved.

Git Signing, GnuPG, PKI, and S/MIME

Git allows developers to sign their work using GnuPG. This is a form of public key cryptography whereby the notion of trust is distributed. The party verifying a signature may directly know of the signer's identity and public key, or the signer's identity may be vouched for by a third party known to the verifier. Through layers of "vouching", a web-of-trust is established.

Such a model is well suited to an unstructured environment. In hierarchical environments though, such as a corporation or other large organizations, a simpler approach is for digital identities to be issued and vouched for by a centralized authority. With this approach — known as Public Key Infrastructure, or PKI — an organization's certificate authority (CA) issues signed certificates that identify subjects such as people or computers. Embedded in these certificates is the identity's public key, allowing others who trust the CA to verify that identity's signatures.

PKI is used in a variety of applications for encrypting or authenticating communications. Secure Mime (S/MIME) standardized a protocol for encrypting and signing emails using PKI. While protecting email was the original intent, S/MIME can protect any type of data, including Git commits and tags. Signing Git data with S/MIME provides the same protections as GnuPG while allowing for the more hierarchical trust model of PKI.

Installation

macOS

You can install smimesign using Homebrew:

brew install smimesign

You can also download a prebuilt macOS binary here. Put the binary on your $PATH, so Git will be able to find it.

Windows

You can install smimesign using scoop:

scoop install smimesign

You can download prebuilt Windows binaries here. Put the appropriate binary on your %PATH%, so Git will be able to find it.

Building from source

  • Make sure you have the Go compiler installed.
  • You'll probably want to put $GOPATH/bin on your $PATH.
  • Run go get github.com/github/smimesign

Configuring Git

Git needs to be told to sign commits and tags using smimesign instead of GnuPG. This can be configured on a global or per-repository level. The Git configuration directives for changing signing tools was changed in version 2.19.

Git versions 2.19 and newer

Configure Git to use smimesign for a single repository:

$ cd /path/to/my/repository
$ git config --local gpg.x509.program smimesign
$ git config --local gpg.format x509

Configure Git to use smimesign for all repositories:

$ git config --global gpg.x509.program smimesign
$ git config --global gpg.format x509

Git versions 2.18 and older

Configure Git to use smimesign for a single repository:

$ cd /path/to/my/repository
$ git config --local gpg.program smimesign

Configure Git to use smimesign for all repositories:

$ git config --global gpg.program smimesign

Configuring smimesign

No configuration is needed to use smimesign. However, you must already have a certificate and private key in order to make signatures. Furthermore, to sign Git commits or tags, it is best to have a certificate that includes your Git email address.

Find your Git email address:

$ git config --get user.email

List available signing identities

$ smimesign --list-keys

Smart cards (PIV/CAC/Yubikey)

Many large organizations and government agencies distribute certificates and keys to end users via smart cards. These cards allow applications on the user's computer to use private keys for signing or encryption without giving them the ability to export those keys. The native certificate stores on both Windows and macOS can talk to smart cards, though special drivers or middleware may be required.

If you can find your certificate in the Keychain Access app on macOS or in the Certificate Manager (certmgr) on Windows, it will probably work with smimesign. If you can't find it, you may need to install some drivers or middlware.

Yubikey

Many Yubikey models support the PIV smart card interface. To get your operating system to discover certificates and keys on your Yubikey, you may have to install the OpenSC middleware. On macOS avoid installing OpenSC using homebrew, as it omits an important component. Instead use the installer provided by OpenSC or use the homebrew-cask formula.

Additionally, to manage the manage certificates and keys on the Yubikey on macOS, you'll need the Yubikey PIV Manager (GUI) or the Yubikey PIV Tool (command line).

Yubikey PIV Keychain in macOS Keychain Access app

More Repositories

1

gitignore

A collection of useful .gitignore templates
156,154
star
2

copilot-docs

Documentation for GitHub Copilot
23,177
star
3

docs

The open-source repo for docs.github.com
JavaScript
14,053
star
4

opensource.guide

📚 Community guides for open source creators
HTML
12,947
star
5

gh-ost

GitHub's Online Schema-migration Tool for MySQL
Go
11,302
star
6

linguist

Language Savant. If your repository's language is being reported incorrectly, send us a pull request!
Ruby
10,684
star
7

semantic

Parsing, analyzing, and comparing source code across many languages
Haskell
8,827
star
8

copilot.vim

Neovim plugin for GitHub Copilot
Vim Script
7,500
star
9

roadmap

GitHub public roadmap
7,393
star
10

scientist

🔬 A Ruby library for carefully refactoring critical paths.
Ruby
7,295
star
11

personal-website

Code that'll help you kickstart a personal website that showcases your work as a software developer.
HTML
7,243
star
12

codeql

CodeQL: the libraries and queries that power security researchers around the world, as well as code scanning in GitHub Advanced Security
CodeQL
7,092
star
13

markup

Determines which markup library to use to render a content file (e.g. README) on GitHub
Ruby
5,678
star
14

dmca

Repository with text of DMCA takedown notices as received. GitHub does not endorse or adopt any assertion contained in the following notices. Users identified in the notices are presumed innocent until proven guilty. Additional information about our DMCA policy can be found at
DIGITAL Command Language
5,312
star
15

swift-style-guide

**Archived** Style guide & coding conventions for Swift projects
4,770
star
16

gemoji

Emoji images and names.
Ruby
4,280
star
17

training-kit

Open source courseware for Git and GitHub
HTML
4,125
star
18

explore

Community-curated topic and collection pages on GitHub
Ruby
3,840
star
19

hubot-scripts

DEPRECATED, see https://github.com/github/hubot-scripts/issues/1113 for details - optional scripts for hubot, opt in via hubot-scripts.json
CoffeeScript
3,538
star
20

mona-sans

Mona Sans, a variable font from GitHub
3,379
star
21

choosealicense.com

A site to provide non-judgmental guidance on choosing a license for your open source project
Ruby
3,379
star
22

git-sizer

Compute various size metrics for a Git repository, flagging those that might cause problems
Go
3,160
star
23

secure_headers

Manages application of security headers with many safe defaults
Ruby
3,104
star
24

gov-takedowns

Text of government takedown notices as received. GitHub does not endorse or adopt any assertion contained in the following notices.
3,033
star
25

archive-program

The GitHub Archive Program & Arctic Code Vault
2,997
star
26

scripts-to-rule-them-all

Set of boilerplate scripts describing the normalized script pattern that GitHub uses in its projects.
Shell
2,859
star
27

hotkey

Trigger an action on an element with a keyboard shortcut.
JavaScript
2,851
star
28

relative-time-element

Web component extensions to the standard <time> element.
JavaScript
2,799
star
29

janky

Continuous integration server built on top of Jenkins and Hubot
Ruby
2,757
star
30

github-elements

GitHub's Web Component collection.
JavaScript
2,523
star
31

renaming

Guidance for changing the default branch name for GitHub repositories
2,383
star
32

view_component

A framework for building reusable, testable & encapsulated view components in Ruby on Rails.
Ruby
2,370
star
33

VisualStudio

GitHub Extension for Visual Studio
C#
2,349
star
34

glb-director

GitHub Load Balancer Director and supporting tooling.
C
2,255
star
35

SoftU2F

Software U2F authenticator for macOS
Swift
2,201
star
36

accessibilityjs

Client side accessibility error scanner.
JavaScript
2,180
star
37

balanced-employee-ip-agreement

GitHub's employee intellectual property agreement, open sourced and reusable
2,105
star
38

CodeSearchNet

Datasets, tools, and benchmarks for representation learning of code.
Jupyter Notebook
2,078
star
39

github-services

Legacy GitHub Services Integration
Ruby
1,902
star
40

platform-samples

A public place for all platform sample projects.
Shell
1,851
star
41

pages-gem

A simple Ruby Gem to bootstrap dependencies for setting up and maintaining a local Jekyll environment in sync with GitHub Pages
Ruby
1,782
star
42

hubot-sans

Hubot Sans, a variable font from GitHub
1,754
star
43

india

GitHub resources and information for the developer community in India
Ruby
1,749
star
44

objective-c-style-guide

**Archived** Style guide & coding conventions for Objective-C projects
1,682
star
45

government.github.com

Gather, curate, and feature stories of public servants and civic hackers using GitHub as part of their open government innovations
HTML
1,670
star
46

site-policy

Collaborative development on GitHub's site policies, procedures, and guidelines
1,652
star
47

covid19-dashboard

A site that displays up to date COVID-19 stats, powered by fastpages.
Jupyter Notebook
1,644
star
48

advisory-database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
1,595
star
49

haikus-for-codespaces

EJS
1,550
star
50

lightcrawler

Crawl a website and run it through Google lighthouse
JavaScript
1,471
star
51

feedback

Public feedback discussions for: GitHub for Mobile, GitHub Discussions, GitHub Codespaces, GitHub Sponsors, GitHub Issues and more!
1,359
star
52

developer.github.com

GitHub Developer site
Ruby
1,314
star
53

rest-api-description

An OpenAPI description for GitHub's REST API
1,304
star
54

brubeck

A Statsd-compatible metrics aggregator
C
1,185
star
55

catalyst

Catalyst is a set of patterns and techniques for developing components within a complex application.
TypeScript
1,183
star
56

backup-utils

GitHub Enterprise Backup Utilities
Shell
1,167
star
57

securitylab

Resources related to GitHub Security Lab
C
1,150
star
58

opensourcefriday

🚲 Contribute to the open source community every Friday
HTML
1,143
star
59

graphql-client

A Ruby library for declaring, composing and executing GraphQL queries
Ruby
1,139
star
60

Rebel

Cocoa framework for improving AppKit
Objective-C
1,127
star
61

dev

Press the . key on any repo
1,085
star
62

codeql-action

Actions for running CodeQL analysis
TypeScript
1,015
star
63

gh-actions-importer

GitHub Actions Importer helps you plan and automate the migration of Azure DevOps, Bamboo, Bitbucket, CircleCI, GitLab, Jenkins, and Travis CI pipelines to GitHub Actions.
C#
949
star
64

licensed

A Ruby gem to cache and verify the licenses of dependencies
Ruby
942
star
65

.github

Community health files for the @GitHub organization
795
star
66

swordfish

EXPERIMENTAL password management app. Don't use this.
Ruby
740
star
67

details-dialog-element

A modal dialog that's opened with <details>.
JavaScript
739
star
68

github-ds

A collection of Ruby libraries for working with SQL on top of ActiveRecord's connection
Ruby
667
star
69

vulcanizer

GitHub's ops focused Elasticsearch library
Go
657
star
70

codeql-cli-binaries

Binaries for the CodeQL CLI
657
star
71

email_reply_parser

Small library to parse plain text email content
Ruby
646
star
72

webauthn-json

🔏 A small WebAuthn API wrapper that translates to/from pure JSON using base64url.
TypeScript
638
star
73

stack-graphs

Rust implementation of stack graphs
Rust
626
star
74

rubocop-github

Code style checking for GitHub's Ruby projects
Ruby
616
star
75

github-ospo

Helping open source program offices get started
599
star
76

dat-science

Replaced by https://github.com/github/scientist
Ruby
582
star
77

maven-plugins

Official GitHub Maven Plugins
Java
581
star
78

details-menu-element

A menu opened with <details>.
JavaScript
554
star
79

trilogy

Trilogy is a client library for MySQL-compatible database servers, designed for performance, flexibility, and ease of embedding.
C
543
star
80

freno

freno: cooperative, highly available throttler service
Go
534
star
81

codespaces-jupyter

Explore machine learning and data science with Codespaces
Jupyter Notebook
518
star
82

gh-valet

Valet helps facilitate the migration of Azure DevOps, CircleCI, GitLab CI, Jenkins, and Travis CI pipelines to GitHub Actions.
C#
513
star
83

include-fragment-element

A client-side includes tag.
JavaScript
508
star
84

safe-settings

JavaScript
505
star
85

covid-19-repo-data

Data archive of identifiable COVID-19 related public projects on GitHub
491
star
86

Archimedes

Geometry functions for Cocoa and Cocoa Touch
Objective-C
466
star
87

codeql-go

The CodeQL extractor and libraries for Go.
462
star
88

vscode-github-actions

GitHub Actions extension for VS Code
TypeScript
443
star
89

vscode-codeql-starter

Starter workspace to use with the CodeQL extension for Visual Studio Code.
CodeQL
441
star
90

open-source-survey

The Open Source Survey
431
star
91

how-engineering-communicates

A community version of the "common API" for how the GitHub Engineering organization communicates
431
star
92

synsanity

netfilter (iptables) target for high performance lockless SYN cookies for SYN flood mitigation
C
424
star
93

brasil

Recursos e informações do GitHub para a comunidade de desenvolvedores no Brasil.
Ruby
418
star
94

entitlements-app

The Ruby Gem that Powers Entitlements - GitHub's Identity and Access Management System
Ruby
393
star
95

gh-copilot

Ask for assistance right in your terminal.
383
star
96

roskomnadzor

deprecated archive — moved to https://github.com/github/gov-takedowns/tree/master/Russia
376
star
97

clipboard-copy-element

Copy element text content or input values to the clipboard.
JavaScript
374
star
98

MVG

MVG = Minimum Viable Governance
364
star
99

pycon2011

Python
353
star
100

vscode-codeql

An extension for Visual Studio Code that adds rich language support for CodeQL
TypeScript
349
star