![]() You can also import your certificate into gpgsm: gpgsm -import < ca-certificateĪnd that’s it, now you can sign your git tags with your super-secret private key, or whatever it is you do. ![]() Side note: the curses-based pinentry doesn’t deal with piping content into stdin, which is why you want pinentry-mac. Then you’ll need to generate and sign a self-signed X.509 certificate for this keypair (you’ll need both the PEM form and the DER form): /usr/local/opt/openssl/bin/openssl rsa2048 Įcho -n "Hello World" | gpg -armor -clearsign -textmode The -id can be any hexadecimal id you want. Which you can do with pkcs11-tool: pkcs11-tool -module /usr/local/lib/opensc-pkcs11.so -l \ Gnupg-pkcs11-scd won’t create keys, so if you’ve not made one already, you need to generate yourself a keypair. brew install opensc gnupg gnupg-pkcs11-scd pinentry-mac \ There’s a bunch of things you’ll want to install from brew: opensc, gnupg, gnupg-pkcs11-scd, pinentry-mac, openssl and engine_pkcs11. Unfortunately it’s a bit of a hassle to set up. However there is gnupg-pkcs11-scd which is a replacement for scdaemon which uses PKCS #11. Allegedly (at least some) Nitrokeys are supported by scdaemon (GnuPG’s stand-in abstraction for cryptographic tokens) but it seems that the version of scdaemon in brew doesn’t have support. Getting yourself set up in macOS to sign keys using a Nitrokey HSM with gpg is non-trivial.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |