Commit 64b5a06c authored by Evan Read's avatar Evan Read

Standardize capitalization of X.509

parent 7df11dac
...@@ -18,4 +18,5 @@ swap: ...@@ -18,4 +18,5 @@ swap:
rspec: RSpec rspec: RSpec
self hosted: self-managed self hosted: self-managed
self-hosted: self-managed self-hosted: self-managed
x509: X.509
yaml: YAML yaml: YAML
...@@ -755,7 +755,7 @@ Example response if commit is GPG signed: ...@@ -755,7 +755,7 @@ Example response if commit is GPG signed:
} }
``` ```
Example response if commit is x509 signed: Example response if commit is X.509 signed:
```json ```json
{ {
......
...@@ -37,4 +37,4 @@ The following are available Rake tasks: ...@@ -37,4 +37,4 @@ The following are available Rake tasks:
| [Uploads sanitize](../administration/raketasks/uploads/sanitize.md) | Remove EXIF data from images uploaded to earlier versions of GitLab. | | [Uploads sanitize](../administration/raketasks/uploads/sanitize.md) | Remove EXIF data from images uploaded to earlier versions of GitLab. |
| [User management](user_management.md) | Perform user management tasks. | | [User management](user_management.md) | Perform user management tasks. |
| [Webhooks administration](web_hooks.md) | Maintain project Webhooks. | | [Webhooks administration](web_hooks.md) | Maintain project Webhooks. |
| [X509 signatures](x509_signatures.md) | Update x509 commit signatures, useful if certificate store has changed. | | [X.509 signatures](x509_signatures.md) | Update X.509 commit signatures, useful if certificate store has changed. |
# X509 signatures **(CORE ONLY)** # X.509 signatures **(CORE ONLY)**
When [signing commits with x509](../user/project/repository/x509_signed_commits/index.md), When [signing commits with X.509](../user/project/repository/x509_signed_commits/index.md),
the trust anchor might change and the signatures stored within the database must be updated. the trust anchor might change and the signatures stored within the database must be updated.
## Update all x509 signatures ## Update all X.509 signatures
This task loops through all X509 signed commits and updates their verification based on current This task loops through all X.509 signed commits and updates their verification based on current
certificate store. certificate store.
To update all x509 signatures, run: To update all X.509 signatures, run:
**Omnibus Installation** **Omnibus Installation**
......
...@@ -300,7 +300,7 @@ GitLab [isn't limited to the SAML providers listed above](#my-identity-provider- ...@@ -300,7 +300,7 @@ GitLab [isn't limited to the SAML providers listed above](#my-identity-provider-
| SAML Request Binding | HTTP Redirect | GitLab (the service provider) redirects users to your Identity Provider with a base64 encoded `SAMLRequest` HTTP parameter. | | SAML Request Binding | HTTP Redirect | GitLab (the service provider) redirects users to your Identity Provider with a base64 encoded `SAMLRequest` HTTP parameter. |
| SAML Response Binding | HTTP POST | Your Identity Provider responds to users with an HTTP form including the `SAMLResponse`, which a user's browser submits back to GitLab. | | SAML Response Binding | HTTP POST | Your Identity Provider responds to users with an HTTP form including the `SAMLResponse`, which a user's browser submits back to GitLab. |
| Sign SAML Response | Yes | We require this to prevent tampering. | | Sign SAML Response | Yes | We require this to prevent tampering. |
| X509 Certificate in response | Yes | This is used to sign the response and checked against the provided fingerprint. | | X.509 Certificate in response | Yes | This is used to sign the response and checked against the provided fingerprint. |
| Fingerprint Algorithm | SHA-1 | We need a SHA-1 hash of the certificate used to sign the SAML Response. | | Fingerprint Algorithm | SHA-1 | We need a SHA-1 hash of the certificate used to sign the SAML Response. |
| Signature Algorithm | SHA-1/SHA-256/SHA-384/SHA-512 | Also known as the Digest Method, this can be specified in the SAML response. It determines how a response is signed. | | Signature Algorithm | SHA-1/SHA-256/SHA-384/SHA-512 | Also known as the Digest Method, this can be specified in the SAML response. It determines how a response is signed. |
| Encrypt SAML Assertion | No | TLS is used between your Identity Provider, the user's browser, and GitLab. | | Encrypt SAML Assertion | No | TLS is used between your Identity Provider, the user's browser, and GitLab. |
......
...@@ -2,17 +2,17 @@ ...@@ -2,17 +2,17 @@
type: concepts, howto type: concepts, howto
--- ---
# Signing commits with x509 # Signing commits with X.509
[x509](https://en.wikipedia.org/wiki/X.509) is a standard format for public key [X.509](https://en.wikipedia.org/wiki/X.509) is a standard format for public key
certificates issued by a public or private Public Key Infrastructure (PKI). certificates issued by a public or private Public Key Infrastructure (PKI).
Personal x509 certificates are used for authentication or signing purposes Personal X.509 certificates are used for authentication or signing purposes
such as SMIME, but Git also supports signing of commits and tags such as SMIME, but Git also supports signing of commits and tags
with x509 certificates in a similar way as with [GPG](../gpg_signed_commits/index.md). with X.509 certificates in a similar way as with [GPG](../gpg_signed_commits/index.md).
The main difference is the trust anchor which is the PKI for x509 certificates The main difference is the trust anchor which is the PKI for X.509 certificates
instead of a web of trust with GPG. instead of a web of trust with GPG.
## How GitLab handles x509 ## How GitLab handles X.509
GitLab uses its own certificate store and therefore defines the trust chain. GitLab uses its own certificate store and therefore defines the trust chain.
...@@ -27,7 +27,7 @@ For a commit to be *verified* by GitLab: ...@@ -27,7 +27,7 @@ For a commit to be *verified* by GitLab:
NOTE: **Note:** Certificate revocation lists are checked on a daily basis via background worker. NOTE: **Note:** Certificate revocation lists are checked on a daily basis via background worker.
## Obtaining an x509 key pair ## Obtaining an X.509 key pair
If your organization has Public Key Infrastructure (PKI), that PKI will provide If your organization has Public Key Infrastructure (PKI), that PKI will provide
an S/MIME key. an S/MIME key.
...@@ -37,9 +37,9 @@ own self-signed one, or purchase one. MozillaZine keeps a nice collection ...@@ -37,9 +37,9 @@ own self-signed one, or purchase one. MozillaZine keeps a nice collection
of [S/MIME-capable signing authorities](http://kb.mozillazine.org/Getting_an_SMIME_certificate) of [S/MIME-capable signing authorities](http://kb.mozillazine.org/Getting_an_SMIME_certificate)
and some of them generate keys for free. and some of them generate keys for free.
## Associating your x509 certificate with Git ## Associating your X.509 certificate with Git
To take advantage of X509 signing, you will need Git 2.19.0 or later. You can To take advantage of X.509 signing, you will need Git 2.19.0 or later. You can
check your Git version with: check your Git version with:
```sh ```sh
...@@ -64,7 +64,7 @@ Install [smimesign](https://github.com/github/smimesign) by downloading the ...@@ -64,7 +64,7 @@ Install [smimesign](https://github.com/github/smimesign) by downloading the
installer or via `brew install smimesign` on MacOS. installer or via `brew install smimesign` on MacOS.
Get the ID of your certificate with `smimesign --list-keys` and set your Get the ID of your certificate with `smimesign --list-keys` and set your
signingkey `git config --global user.signingkey ID`, then configure x509: signingkey `git config --global user.signingkey ID`, then configure X.509:
```sh ```sh
git config --global gpg.x509.program smimesign git config --global gpg.x509.program smimesign
...@@ -73,7 +73,7 @@ git config --global gpg.format x509 ...@@ -73,7 +73,7 @@ git config --global gpg.format x509
## Signing commits ## Signing commits
After you have [associated your x509 certificate with Git](#associating-your-x509-certificate-with-git) you After you have [associated your X.509 certificate with Git](#associating-your-x509-certificate-with-git) you
can start signing your commits: can start signing your commits:
1. Commit like you used to, the only difference is the addition of the `-S` flag: 1. Commit like you used to, the only difference is the addition of the `-S` flag:
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment