From 37706f5bbaf39607519fcd1aea55494a6f68189a Mon Sep 17 00:00:00 2001 From: Roger Meier Date: Mon, 20 Apr 2020 18:30:58 +0200 Subject: [PATCH 1/3] feat: use git config to read tsa server and include-certs --- .travis.yml | 3 ++- README.md | 9 +++++++++ go.mod | 1 + go.sum | 2 ++ main.go | 21 +++++++++++++++++++++ 5 files changed, 35 insertions(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index fb05172..8b4d4a5 100644 --- a/.travis.yml +++ b/.travis.yml @@ -10,7 +10,8 @@ go: git: depth: false -install: '' +install: + - brew install libgit2 script: - GIT_VERSION=$(git describe --tags) diff --git a/README.md b/README.md index 3d8d805..6b89d35 100644 --- a/README.md +++ b/README.md @@ -96,6 +96,15 @@ $ git config --get user.email $ smimesign --list-keys ``` +**Add smimesign options** + +Currently only `tsa` and `include-certs` options are supported. + +```bash +$ git config --global gpg.x509.smimesign.timestamp-authority http://timestamp.digicert.com +$ git config --global gpg.x509.smimesign.include-certs -1 +``` + ## Smart cards (PIV/CAC/Yubikey) Many large organizations and government agencies distribute certificates and keys to end users via smart cards. These cards allow applications on the user's computer to use private keys for signing or encryption without giving them the ability to export those keys. The native certificate stores on both Windows and macOS can talk to smart cards, though special drivers or middleware may be required. diff --git a/go.mod b/go.mod index e1d1dd2..bf876e5 100644 --- a/go.mod +++ b/go.mod @@ -5,6 +5,7 @@ go 1.12 require ( github.com/certifi/gocertifi v0.0.0-20180118203423-deb3ae2ef261 github.com/davecgh/go-spew v1.1.1 + github.com/libgit2/git2go/v30 v30.0.1 github.com/mastahyeti/certstore v0.0.5 github.com/mastahyeti/cms v0.0.6 github.com/mastahyeti/fakeca v0.0.1 diff --git a/go.sum b/go.sum index f983c42..7d146c8 100644 --- a/go.sum +++ b/go.sum @@ -3,6 +3,8 @@ github.com/certifi/gocertifi v0.0.0-20180118203423-deb3ae2ef261/go.mod h1:GJKEex github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/libgit2/git2go/v30 v30.0.1 h1:uvQkdor2u7WKG9p8vAZNWFRlhQx/OxRinj8ucydrTJ4= +github.com/libgit2/git2go/v30 v30.0.1/go.mod h1:YReiQ7xhMoyAL4ISYFLZt+OGqn6xtLqvTC1xJ9oAH7Y= github.com/mastahyeti/certstore v0.0.4 h1:lIS0StbHgmgUIpen7aayW+BGBFs7g141fOcjuobrFj8= github.com/mastahyeti/certstore v0.0.4/go.mod h1:G29tHH2jDKK45cvISMzk8ZRf3KrhRS7ptoteyYzztsk= github.com/mastahyeti/certstore v0.0.5 h1:8JV/YC8jN6SD+ocJi46PSdxXfPxwgilJJEA8HnG49ls= diff --git a/main.go b/main.go index f5b02bd..69dde3f 100644 --- a/main.go +++ b/main.go @@ -7,6 +7,7 @@ import ( "io" "os" + git "github.com/libgit2/git2go/v30" "github.com/mastahyeti/certstore" "github.com/pborman/getopt/v2" "github.com/pkg/errors" @@ -72,6 +73,26 @@ func runCommand() error { return nil } + // read tsa and include-certs from gitconfig + path, err := os.Getwd() + if err == nil { + repo, err := git.OpenRepository(path) + if err == nil { + config, err := repo.Config() + + tsa, err := config.LookupString("gpg.x509.smimesign.timestamp-authority") + if err == nil { + tsaOpt = &tsa + } + + includeCerts32, err := config.LookupInt32("gpg.x509.smimesign.include-certs") + if err == nil { + var includeCerts int = int(includeCerts32) + includeCertsOpt = &includeCerts + } + } + } + // Open certificate store store, err := certstore.Open() if err != nil { From 541cfc5c33d104f92759730a30d29434edb7ddc3 Mon Sep 17 00:00:00 2001 From: Roger Meier Date: Fri, 1 May 2020 14:03:23 +0200 Subject: [PATCH 2/3] docs: add standalone usage section --- README.md | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/README.md b/README.md index 6b89d35..55eab0d 100644 --- a/README.md +++ b/README.md @@ -44,6 +44,32 @@ You can download prebuilt Windows binaries [here](https://github.com/github/smim - You'll probably want to put `$GOPATH/bin` on your `$PATH`. - Run `go get github.com/github/smimesign` +## Standalone usage + +```sh +$ smimesign --help +Usage: smimesign [-abhsv] [--include-certs n] [--keyid-format {long}] [--list-keys] [--status-fd n] [-t url] [-u USER-ID] [--verify] [files] + -a, --armor create ascii armored output + -b, --detach-sign make a detached signature + -h, --help print this help message + --include-certs=n -3 is the same as -2, but ommits issuer + when cert has Authority Information + Access extension. -2 includes all certs + except root. -1 includes all certs. 0 + includes no certs. 1 includes leaf cert. + >1 includes n from the leaf. Default -2. + --keyid-format={long} select how to display key IDs. + --list-keys show keys + -s, --sign make a signature + --status-fd=n write special status strings to the file + descriptor n. + -t, --timestamp-authority=url URL of RFC3161 timestamp authority to + use for timestamping + -u, --local-user=USER-ID use USER-ID to sign + --verify verify a signature + -v, --version print the version number +``` + ## Configuring Git Git needs to be told to sign commits and tags using smimesign instead of GnuPG. This can be configured on a global or per-repository level. The Git configuration directives for changing signing tools was changed in version 2.19. From c872390b6d9d804a3fe57ee07da5791c68d7ce0b Mon Sep 17 00:00:00 2001 From: Roger Meier Date: Fri, 1 May 2020 14:15:29 +0200 Subject: [PATCH 3/3] chore(ci): add 1.13 and 1.14 --- .travis.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.travis.yml b/.travis.yml index 8b4d4a5..2591637 100644 --- a/.travis.yml +++ b/.travis.yml @@ -4,6 +4,8 @@ language: go go: - 1.12.x + - 1.13.x + - 1.14.x - 1.x - master