A dotnet global tool to sign commits from the GIT program. Supports GPGSM style output.
It has .net core 3.1, net 5 and net6 output.
It is based off SMimeSign but wrote this program to interop better with the Yubikey.
You need a personal SMIME X.509 certificate from a authorised provider.
Install using the dotnet global tool utility
dotnet tool install -g gitsmimesignThe following is how to install with GIT versions 2.19 or newer.
git config --global gpg.x509.program gitsmimesign
git config --global gpg.format x509If you want to always use sign commits by default set:
git config --global commit.gpgsign trueTo configure only a local repository to use the gitsmimesign.
cd \to\path\of\repository
git config --local gpg.x509.program gitsmimesign
git config --local gpg.format x509If you want to always use sign commits by default set:
git config --local commit.gpgsign trueIf you have multiple X.509 certificates that match your identiy, or would otherwise like to use an alternate X.509 certificate, git can be configured to be aware of this.
Start by listing the available keys:
gitsmimesign --list-keysIdentify the desired X.509 certificate from the list, and note the Certificate ID.
git config --global user.signingkey CERTIFICATE-ID-HEREcd \to\path\of\repository
git config --local user.signingkey CERTIFICATE-ID-HEREBecause git does not pass a RFC3161 time stamp authority URL you can set one in the configuration file
Create a file in your user profile directory called .gitsmimesignconfig, add the contents modified with your timestamp authority url:
[Certificate]
TimeAuthorityUrl=http://url.to/timestamp/authorityExport out a PFX file from the X.509 certificate. Make a backup in a safe location of this file, if someone gets it they can pretend to be you.
On windows you can use a Yubikey Mini Smart Driver but I found the YubiKey manager approach detailed below easier.
I am assuming a pin policy of "once" per session, and no "touch" policy, there are other options. I am also installing into slot 9c which is the signing slot.
- Install the YubiKey manager.
- Open a command line.
- Run cd "%PROGRAMFILES%\Yubico\YubiKey Manager"
- Change your pin from the default (if you haven't already) and change from the default pin 123456. Run .\ykman piv change-pin -P 123456 -n <new pin>
- Run: .\ykman piv import-key --pin-policy=default 9c C:\path\to\your.pfx
- When prompted, enter the PIN, management key, and password for the PFX.
- Run: .\ykman piv import-certificate 9c C:\path\to\your.pfx
- When prompted, enter the PIN, management key, and password for the PFX.
- You may need to logout of your profile if the keys don't show up in SMIMESign below.
- Install YubiKey Manager
brew install ykman 
- Change your pin from the default (if you haven't already) and change from the default pin 123456. Run ykman piv change-pin -P 123456 -n <new pin>
- Run: ykman piv import-key --pin-policy=default 9c /path/to/your.pfx
- When prompted, enter the PIN, management key, and password for the PFX.
- Run: ykman piv import-certificate 9c /path/to/your.pfx
- When prompted, enter the PIN, management key, and password for the PFX.
- You may need to logout of your profile if the keys don't show up in SMIMESign below.
- Install YubiKey manager
sudo apt-add-repository ppa:yubico/stable sudo apt update sudo apt install yubikey-manager-qt 
- Change your pin from the default (if you haven't already) and change from the default pin 123456. Run ykman piv change-pin -P 123456 -n <new pin>
- Run: ykman piv import-key --pin-policy=default 9c /path/to/your.pfx
- When prompted, enter the PIN, management key, and password for the PFX.
- Run: ykman piv import-certificate 9c /path/to/your.pfx
- When prompted, enter the PIN, management key, and password for the PFX.
- You may need to logout of your profile if the keys don't show up in SMIMESign below.