Skip to content

SYSTEM Cited by 1 source

smimesign

smimesign is GitHub's open-source S/MIME signing utility for macOS and Windows, plug-compatible with Git's pluggable-signer interface so engineers can sign Git commits with X.509 certificates from public or private certificate authorities. Repository: github/smimesign.

Built specifically for organisations that want to reuse their corporate X.509 PKI (code-signing certs, identity certs, device-trust certs) for concepts/commit-signing, rather than asking each developer to spin up a separate GPG key.

Key facts

  • Reads keys + certs already stored in the macOS Keychain or the Windows Certificate Store — no separate key file format.
  • Configured as Git's gpg.x509.program when gpg.format=x509.
  • Emits a detached CMS / PKCS#7 signature on stdout.
  • Vendors a Go ietf-cms package (smimesign/ietf-cms) used for both signing and verification; the verifier path is a reusable library for building custom policy gates.

Standard Git configuration

git config commit.gpgsign true
git config gpg.format x509
git config gpg.x509.program smimesign
git config user.signingkey <your_x509_key_id>

Invocation contract

Git invokes the configured gpg.x509.program as:

smimesign --status-fd=2 -bsau <user.signingkey>
Flag Meaning
--status-fd=2 write status strings to stderr
-b create a detached signature
-s sign (not verify)
-a ASCII-armored output
-u <key-id> use this key id

The -u <key-id> argument is static — Git reads user.signingkey once and passes it on every commit. This is fine for long-lived corporate certs but breaks under short-lived device-trust rotation. Figma's smimesign-figma fork adds a --get-figmate-key-id flag to compute the current key at invocation time, used via a wrapper script.

Seen in

Last updated · 200 distilled / 1,178 read