Skip to content

SYSTEM Cited by 1 source

smimesign-figma

smimesign-figma is Figma's minimally-modified fork of GitHub's systems/smimesign utility. The fork adds one new flag — --get-figmate-key-id — that walks the macOS Keychain and returns the key id of the engineer's current device-trust X.509 certificate (the cert rotates every 15 days).

The flag is the dynamic-lookup primitive that a wrapper bash script calls at commit time to substitute for Git's static user.signingkey argument.

Why the fork exists

smimesign upstream accepts a static key id via -u <key>, which Git populates from user.signingkey. Figma's device-trust certs rotate every 15 days, so any static value is stale within two weeks. Two options:

  1. Continuously rewrite user.signingkey in every engineer's Git config every 15 days (fragile, requires tooling to touch each developer machine).
  2. Compute the current key id at commit time (self-healing; no per-developer daemon needed).

Figma chose option 2, which requires the signer itself to expose a key-lookup primitive the wrapper can call.

The new flag

smimesign-figma --get-figmate-key-id
# → stdout: <current device-trust cert key id from macOS Keychain>

Wrapper script that uses it

One-line smimesign-figma-wrapper registered as Git's gpg.x509.program:

smimesign-figma --status-fd=2 -bsau smimesign-figma --get-figmate-key-id

Ignores all args Git passes; substitutes its own args with the dynamic key lookup.

Git's user.signingkey is left deliberately blank because the wrapper makes it irrelevant — documented in internal Git config to prevent future confusion.

Seen in

Last updated · 200 distilled / 1,178 read