Improvements / Pitfalls for "S/MIME Signing Git Commits"
I stumbled on some issues while following S/MIME Signing Git Commits
gpgsm
can not handle long passwords
1. If the PKCS#12 file is protected by a very long password / passphrase it will
fail with password too long
(limit is hard coded in the source):
$ gpgsm --import <filename>.pfx/p12
gpgsm: 5544 bytes of RC2 encrypted text
gpgsm: password too long
…
gpgsm: password too long
gpgsm: encryptedData error at "outer.outer.seq", offset 2
gpgsm: possibly bad passphrase given
gpgsm: error at "bag.encryptedData", offset 49
gpgsm: error parsing or decrypting the PKCS#12 file
gpgsm: total number processed: 0
As work around create new temporarily one with new short (16 characters) password:
$ keytool -importkeystore -destkeystore new.p12 -deststoretype pkcs12 -srckeystore <filename>.pfx/p12
Importing keystore <filename>.pfx/p12 to new.p12...
Enter destination keystore password:
Re-enter new password:
Enter source keystore password:
Entry for alias 1 successfully imported.
Import command completed: 1 entries successfully imported, 0 entries failed or cancelled
gpgsm
fails with "data error at …"
2. Try to import:
$ gpgsm --import new.p12
gpgsm: keybox '…/.gnupg/pubring.kbx' created
…
gpgsm: data error at "pkcs5PBES2-params", offset 118
gpgsm: error at "bag-sequence", offset 49
gpgsm: error parsing or decrypting the PKCS#12 file
gpgsm: total number processed: 0
Looks like gpgsm
doesn't like the CA files in the PKCS#12 file. So you have
to create a PKCS#12 only containing the key and certificate.
Extract certificate, key and create new PKCS#12 file:
# Extract user certificate
$ openssl pkcs12 -in <filename>.pfx/p12 -clcerts -nokeys -out usr.crt
Enter Import Password:
# Extract private key
$ openssl pkcs12 -in <filename>.pfx/p12 -nocerts -out usr.key
Enter Import Password:
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
# Merge them back into a p12 file
$ openssl pkcs12 -export -in usr.crt -inkey usr.key -out new.p12
Enter pass phrase for usr.key:
Enter Export Password:
Verifying - Enter Export Password:
Based on: Signed commits with KIT-CA Certificate on Linux
Finally import the new generated PKCS#12 file:
$ gpgsm --import new.p12
…
gpgsm: total number processed: 2
gpgsm: imported: 1
gpgsm: secret keys read: 1
gpgsm: secret keys imported: 1
ID
3. SIGNINGKEY (ID) is not grepped when Subject contains If the subject contains ID
(for example in the OU
) it will use the first
part of the Subject (for example: /CN=John
). This can be fixed by adjusting
the command slightly:
$ export SIGNINGKEY=$( gpgsm --list-secret-keys | egrep '(key usage|ID:)' | grep -B 1 digitalSignature | awk '/ID:/ {print $2}' )
or
$ export SIGNINGKEY=$( gpgsm --list-secret-keys | egrep '(key usage|\s+ID)' | grep -B 1 digitalSignature | awk '/\s+ID/ {print $2}' )
Suggestions
Add a troubleshooting section for the common errors with workarounds. I could add a MR to discuss.