Skip to content

Feature: Expose mTLS configuration for a git client #3428

New issue
New issue
Open
Feature
Open
Feature: Expose mTLS configuration for a git client#3428
Feature
Assignees
fiftin
Labels
git
Milestone
2.18
@t00

Description

@t00
t00
opened on Nov 9, 2025

Related to

Web-Backend (APIs)

Impact

security improvements

Missing Feature

We are evaluating semaphore to run cloud infrastructure tasks. Our git repository is protected by a mTLS certificate and from what I could find semaphore does include git-go with mTLS support but it is not used.

Is such support planned in the near future? Or maybe there is a workaround?

Implementation

An example usage for git.PlainClone:

	clientCertPEM := mustRead("/secrets/client.crt") // PEM cert
	clientKeyPEM := mustRead("/secrets/client.key")  // PEM private key
	caBundlePEM := mustRead("/secrets/ca-bundle.crt") // optional CA bundle

	_, err := git.PlainClone("/tmp/repo", false, &git.CloneOptions{
		URL:        "https://git.example.com/your/repo.git",
		Progress:   os.Stdout,
		ClientCert: clientCertPEM,
		ClientKey:  clientKeyPEM,
		CABundle:   caBundlePEM, // omit or nil if you want system CAs only
		// InsecureSkipTLS: true, // only for testing (not recommended)
		// If you need auth tokens too, you can still set Auth: ...
	})

Configuration of the official git client:

sudo cp ca.crt /usr/local/share/ca-certificates/git.example.com.crt
sudo update-ca-certificates
git config --global http.https://git.example.com/.sslCert ~/.ssh/git.example.com.crt
git config --global http.https://git.example.com/.sslKey ~/.ssh/git.example.com.key

Generate local CA cert and mTLS certificate for testing:

# === CONFIGURATION ===
CLIENT_NAME="git.example.com"
CA_NAME="ca"
CA_SUBJECT="/C=UK/ST=London/L=London/O=Example dot com/CN=ExampleComRootCA"
VALIDITY_DAYS=3650
SUBJECT="/C=UK/ST=London/L=London/O=Example dot com/OU=Development/CN=Example.com Developer/[email protected]"
EC_CURVE="prime256v1"

# === 1. Generate CA EC Key and Self-Signed Cert ===
openssl ecparam -name $EC_CURVE -genkey -noout -out $CA_NAME.key
openssl req -x509 -new -key $CA_NAME.key -sha256 -days $VALIDITY_DAYS -out $CA_NAME.crt \
    -subj "${CA_SUBJECT}"

# === 2. Generate Client EC Key and CSR ===
openssl ecparam -name $EC_CURVE -genkey -noout -out $CLIENT_NAME.key
openssl req -new -key $CLIENT_NAME.key -out $CLIENT_NAME.csr -subj "$SUBJECT"

# === 3. Sign the CSR with the EC CA ===
openssl x509 -req -in $CLIENT_NAME.csr -CA $CA_NAME.crt -CAkey $CA_NAME.key -CAcreateserial \
    -out $CLIENT_NAME.crt -days $VALIDITY_DAYS -sha256

Design

No response

Metadata

Metadata

Assignees

Labels

git

Type

Feature

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions