Versions:
smimesign is a lightweight S/MIME signing utility released by GitHub, Inc. that integrates directly with Git to provide cryptographic signing of commits and tags using X.509 certificates. Designed for development teams and individual contributors who must meet strict authenticity and compliance requirements, the tool plugs into Git’s built-in gpg.program interface so that standard operations such as git commit -S or git tag -s automatically invoke S/MIME instead of OpenPGP. By re-using existing enterprise public-key infrastructure, smimesign eliminates the need to generate, distribute, or trust separate GPG keys; any valid client certificate installed in the Windows certificate store or macOS keychain can be referenced by issuer, subject, or thumbprint. The utility outputs CMS (Cryptographic Message Syntax) detached signatures that GitHub, GitLab, Azure DevOps, and other hosts verify and display as “Verified” when the corresponding certificate chains to a trusted root. Typical use cases include signing release tags in regulated industries, enabling secure software supply-chain workflows, and allowing organizations to enforce code-origin policies without altering developer tooling beyond a one-time Git configuration command. Version 0.2.0-rc1, currently the only published release, introduces cross-platform support, improved certificate-selection logic, and a streamlined command-line interface for listing eligible certificates and debugging signature validation. Because the executable adheres to the same exit-code conventions as GPG, continuous-integration pipelines can adopt it transparently. smimesign is available for free on get.nero.com, with downloads provided via trusted Windows package sources (e.g. winget), always delivering the latest version, and supporting batch installation of multiple applications.
Tags: