oct-git - Git signing with OpenPGP cards

oct-git #

Git signing and verification with a focus on OpenPGP cards.

https://crates.io/crates/openpgp-card-tool-git

oct-git can act as a replacement for one mode of operation of the gpg tool, specifically as it is combined with the git version control tool.

Signing #

git can optionally use an external tool (such as oct-git, or historically gpg) to produce cryptographic signatures for “commits” or “tags”.

Issuing signatures is a private-key based operation, which oct-git can perform on an OpenPGP card.

User PIN handling for signing operations #

OpenPGP card devices require presentation of a “User PIN” to allow performing cryptographic operations on them. oct-git performs this PIN presentation on behalf of the user.

The suggested method for User PIN handling with oct-git is to manage the PIN with one of the supported mechanisms in openpgp-card-state.

The openpgp-card-state page offers more context and discussion of the options and their tradeoffs.

Verifying #

git can also use an external tool (such as oct-git, or historically gpg) to verify signatures on git commits or tags.

Verification of signatures doesn’t require private key material, so this operation is independent of OpenPGP card devices.