Keyless Git signing with Sigstore!
This is heavily inspired by https://github.com/github/smimesign, but uses keyless Sigstore to sign Git commits with your own GitHub / OIDC identity.
Using Homebrew:
brew install sigstore/tap/gitsign
Using Go:
go install github.com/sigstore/gitsign@latest
Single Repository:
cd /path/to/my/repository
git config --local commit.gpgsign true # Sign all commits
git config --local tag.gpgsign true # Sign all tags
git config --local gpg.x509.program gitsign # Use gitsign for signing
git config --local gpg.format x509 # gitsign expects x509 args
All respositories:
git config --global commit.gpgsign true # Sign all commits
git config --global tag.gpgsign true # Sign all tags
git config --global gpg.x509.program gitsign # Use gitsign for signing
git config --global gpg.format x509 # gitsign expects x509 args
To learn more about these options, see
git-config
.
Gitsign can be configured with a standard git-config file. For example, to set the Fulcio option for a single repo:
$ git config --local gitsign.fulcio https://fulcio.example.com
The following config options are supported:
Option | Default | Description |
---|---|---|
fulcio | https://fulcio.sigstore.dev | Address of Fulcio server |
logPath | Path to log status output. Helpful for debugging when no TTY is available in the environment. | |
clientID | sigstore | OIDC client ID for application |
issuer | https://oauth2.sigstore.dev/auth | OIDC provider to be used to issue ID token |
matchCommitter | false | If true, verify that the committer matches certificate user identity. See docs/committer-verification.md for more details. |
redirectURL | OIDC Redirect URL | |
rekor | https://rekor.sigstore.dev | Address of Rekor server |
connectorID | Optional Connector ID to auto-select to pre-select auth flow to use. For the public sigstore instance, valid values are: - https://github.com/login/oauth - https://accounts.google.com - https://login.microsoftonline.com |
|
tokenProvider | Optional OIDC token provider to use to fetch tokens. If not set, any available providers are used. valid values are: - interactive - spiffe - google-workload-identity - google-impersonation - github-actions - filesystem - buildkite-agent |
|
timestampServerURL | Address of timestamping authority. If set, a trusted timestamp will be included in the signature. | |
timestampCertChain | Path to PEM encoded certificate chain for RFC3161 Timestamp Authority verification. | |
autoclose | true | If true, autoclose the browser window after autocloseTimeout . In order for autoclose to work you must also set connectorID . |
autocloseTimeout | 6 | If autoclose is true, this is how long to wait until the window is closed. |
Environment Variable | Sigstore Prefix |
Default | Description |
---|---|---|---|
GITSIGN_CREDENTIAL_CACHE | Optional path to gitsign-credential-cache socket. | ||
GITSIGN_CONNECTOR_ID | âś… | Optional Connector ID to auto-select to pre-select auth flow to use. For the public sigstore instance, valid values are: - https://github.com/login/oauth - https://accounts.google.com - https://login.microsoftonline.com |
|
GITSIGN_TOKEN_PROVIDER | âś… | Optional OIDC token provider to use to fetch tokens. If not set, any available providers are used. valid values are: - interactive - spiffe - google-workload-identity - google-impersonation - github-actions - filesystem - buildkite-agent |
|
GITSIGN_FULCIO_URL | âś… | https://fulcio.sigstore.dev | Address of Fulcio server |
GITSIGN_LOG | ❌ | Path to log status output. Helpful for debugging when no TTY is available in the environment. | |
GITSIGN_OIDC_CLIENT_ID | âś… | sigstore | OIDC client ID for application |
GITSIGN_OIDC_ISSUER | âś… | https://oauth2.sigstore.dev/auth | OIDC provider to be used to issue ID token |
GITSIGN_OIDC_REDIRECT_URL | âś… | OIDC Redirect URL | |
GITSIGN_REKOR_URL | âś… | https://rekor.sigstore.dev | Address of Rekor server |
GITSIGN_TIMESTAMP_SERVER_URL | âś… | Address of timestamping authority. If set, a trusted timestamp will be included in the signature. | |
GITSIGN_TIMESTAMP_CERT_CHAIN | âś… | Path to PEM encoded certificate chain for RFC3161 Timestamp Authority verification. | |
GITSIGN_FULCIO_ROOT | âś… | Path to PEM encoded certificate for Fulcio CA (additional alias: SIGSTORE_ROOT_FILE) | |
GITSIGN_REKOR_MODE | ❌ | online | Rekor storage mode to operate in. One of [online, offline] (default: online) online - Commit SHAs are stored in Rekor, requiring online verification for all commit objects. offline - Hashed commit content is stored in Rekor, with Rekor attributes necessary for offline verification being stored in the commit itself. Note: online verification will be deprecated in favor of offline in the future. |
GITSIGN_AUTOCLOSE | ❌ | true | If true, autoclose the browser window after GITSIGN_AUTOCLOSE_TIME . |
GITSIGN_AUTOCLOSE_TIMEOUT | ❌ | 6 | If GITSIGN_AUTOCLOSE is true, this is how long to wait until the window is closed. |
For environment variables that support Sigstore Prefix
, the values may be
provided with either a GITSIGN_
or SIGSTORE_
prefix - e.g.
GITSIGN_CONNECTOR_ID
or SIGSTORE_CONNECTOR_ID
. If both environment variables
are set, GITSIGN_
prefix takes priority.
Environment Variable | Description |
---|---|
SIGSTORE_REKOR_PUBLIC_KEY | This specifies an out of band PEM-encoded public key to use for a custom Rekor. |
Once configured, you can sign commits as usual with git commit -S
(or
git config --global commit.gpgsign true
to enable signing for all commits).
$ git commit --allow-empty --message="Signed commit"
Your browser will now be opened to:
https://oauth2.sigstore.dev/auth/auth?access_type=online&client_id=sigstore&...
[main 040b9af] Signed commit
This will redirect you through the Sigstore Keyless flow to authenticate and sign the commit.
Once configured, you can sign commits as usual with git tag -s
(or
git config --global tag.gpgsign true
to enable signing for all tags).
$ git tag v0.0.1
Your browser will now be opened to:
https://oauth2.sigstore.dev/auth/auth?access_type=online&client_id=sigstore&...
This will redirect you through the Sigstore Keyless flow to authenticate and sign the tag.
Commits can be verified using gitsign verify
:
$ gitsign verify --certificate-identity=billy@chainguard.dev --certificate-oidc-issuer=https://accounts.google.com HEAD
tlog index: 16072348
gitsign: Signature made using certificate ID 0xa6c178d9292f70eb5c4ad9e274ead0158e75e484 | CN=sigstore-intermediate,O=sigstore.dev
gitsign: Good signature from [billy@chainguard.dev](https://accounts.google.com)
Validated Git signature: true
Validated Rekor entry: true
Validated Certificate claims: true
HEAD
may be replaced with any
Git revision (e.g. branch, tag, etc.).
NOTE: gitsign verify
is preferred over
git verify-commit
and
git verify-tag
. The git commands do
not pass through any expected identity information to the signing tools, so they
only verify cryptographic integrity and that the data exists on Rekor, but not
who put the data there.
Using these commands will still work, but a warning being displayed.
$ git verify-commit HEAD
tlog index: 16072349
gitsign: Signature made using certificate ID 0xa6c178d9292f70eb5c4ad9e274ead0158e75e484 | CN=sigstore-intermediate,O=sigstore.dev
gitsign: Good signature from [billy@chainguard.dev](https://accounts.google.com)
Validated Git signature: true
Validated Rekor entry: true
Validated Certificate claims: false
WARNING: git verify-commit does not verify cert claims. Prefer using `gitsign verify` instead.
Gitsign is compatible with other Sigstore tools cosign for running against other Sigstore instances besides the default public instance. See cosign documentation for how to configure and use another instance.
A browser window is needed to get an OAuth token, since gitsign aims to not store refresh tokens or other cryptographic material on disk, but there are some things you can do to make this process a bit easier!
- Set the
connectorID
config option - This preselects the identity provider to use. Assuming you're already signed in, in most cases you'll bounce directly to the auth success screen! (and you can clean up the browser tabs later) - Use the Credential Cache. This uses an in-memory credential cache over a file socket that allows you to persist keys and certificates for their full lifetime (meaning you only need to auth once every 10 minutes).
Why doesn't GitHub show commits as verified?
GitHub doesn't recognize Gitsign signatures as verified at the moment:
- The sigstore CA root is not a part of GitHub's trust root.
- Because Gitsign's ephemeral keys are only valid for a short time, using standard x509 verification would consider the certificate invalid after expiration. Verification needs to include validation via Rekor to verify the cert was valid at the time it was used.
We hope to work with GitHub to get these types of signatures recognized as verified in the future!
If gitsign
is running with unexpected configs, you can validate the config
values that are being ran by running gitsign --version
:
$ gitsign --version
gitsign version v0.5.2
parsed config:
{
"Fulcio": "https://fulcio.sigstore.dev",
"FulcioRoot": "",
"Rekor": "https://rekor.sigstore.dev",
"ClientID": "sigstore",
"RedirectURL": "",
"Issuer": "https://oauth2.sigstore.dev/auth",
"ConnectorID": "",
"TimestampURL": "",
"TimestampCert": "",
"LogPath": ""
}
If there is an error during signing, you may see an error like:
error: gpg failed to sign the data
fatal: failed to write commit object
When Git invokes signing tools, both stdout and stderr are captured which means
gitsign
cannot push back messages to shells interactively. If a TTY is
available, gitsign
will output information to the TTY output directly. If a
TTY is not available (e.g. in CI runners, etc.), you can use the GITSIGN_LOG
environment variable to tee logs into a readable location for debugging.
-
failed to verify detached signature: x509: certificate signed by unknown authority
This usually means the TUF root used to verify the commit is not the same as the root that was used to sign it. This can happen if you use multiple sigstore instances frequently (e.g. if you're a sigstore developer - sigstore staging). You can double check relevant environment variables by running
gitsign --version
.
Gitsign stores data in 2 places:
-
Within the Git commit
The commit itself contains a signed digest of the user commit content (e.g. author, committer, message, parents, etc.) along with the code signing certificate. This data is stored within the commit itself as part of your repository. See Inspecting the Git commit signature for more details.
-
Within the Rekor transparency log
To be able to verify signatures for ephemeral certs past their
Not After
time, Gitsign records commits and the code signing certificates to Rekor.- If
rekorMode = online
(default)
This data is a HashedRekord containing a SHA256 hash of the commit SHA, as well as the code signing certificate. See Verifying the Transparency Log for more details.
- If
rekorMode = offline
Note: offline verification is new, and should be considered experimental for now.
By default, data is written to the public Rekor instance. In particular, users and organizations may be sensitive to the data contained within code signing certificates returned by Fulcio, which may include user emails or repo identifiers. See OIDC usage in Fulcio for more details for what data is contained in the code signing certs, and Deploy a Rekor Server Manually for how to run your own Rekor instance.
- If
Should you discover any security issues, please refer to the security process
Git commit signatures use CMS/PKCS7 signatures. We can inspect the underlying data / certificate used by running:
$ git cat-file commit HEAD | sed -n '/-BEGIN/, /-END/p' | sed 's/^ //g' | sed 's/gpgsig //g' | sed 's/SIGNED MESSAGE/PKCS7/g' | openssl pkcs7 -print -print_certs -text
PKCS7:
type: pkcs7-signedData (1.2.840.113549.1.7.2)
d.sign:
version: 1
md_algs:
algorithm: sha256 (2.16.840.1.101.3.4.2.1)
parameter: <ABSENT>
contents:
type: pkcs7-data (1.2.840.113549.1.7.1)
d.data: <ABSENT>
cert:
cert_info:
version: 2
serialNumber: 0x2ECFB7E0D25F9A741FC3B19B56C4B74D25864788
signature:
algorithm: ecdsa-with-SHA384 (1.2.840.10045.4.3.3)
parameter: <ABSENT>
issuer: O=sigstore.dev, CN=sigstore-intermediate
validity:
notBefore: Jan 13 21:00:13 2023 GMT
notAfter: Jan 13 21:10:13 2023 GMT
subject:
key:
algor:
algorithm: id-ecPublicKey (1.2.840.10045.2.1)
parameter: OBJECT:prime256v1 (1.2.840.10045.3.1.7)
public_key: (0 unused bits)
0000 - 04 0d 3e f5 05 98 53 d2-68 21 9d e7 88 07 ..>...S.h!....
000e - 0a d9 bc 8e 9f e3 00 e0-5d 28 b2 41 24 a7 ........](.A$.
001c - a5 93 28 cc 45 d9 1e ee-a3 1c 8d 42 64 ab ..(.E......Bd.
002a - 14 e6 ec 41 29 77 3a 0e-95 94 33 f7 40 62 ...A)w:...3.@b
0038 - cd 25 fd 17 35 be 4d d4-f9 .%..5.M..
issuerUID: <ABSENT>
subjectUID: <ABSENT>
extensions:
object: X509v3 Key Usage (2.5.29.15)
critical: TRUE
value:
0000 - 03 02 07 80 ....
object: X509v3 Extended Key Usage (2.5.29.37)
critical: BOOL ABSENT
value:
0000 - 30 0a 06 08 2b 06 01 05-05 07 03 03 0...+.......
object: X509v3 Subject Key Identifier (2.5.29.14)
critical: BOOL ABSENT
value:
0000 - 04 14 46 eb 25 b9 3b 3d-87 71 6a eb ba ..F.%.;=.qj..
000d - e4 a4 4b b0 f1 17 4b 46-58 ..K...KFX
object: X509v3 Authority Key Identifier (2.5.29.35)
critical: BOOL ABSENT
value:
0000 - 30 16 80 14 df d3 e9 cf-56 24 11 96 f9 0.......V$...
000d - a8 d8 e9 28 55 a2 c6 2e-18 64 3f ...(U....d?
object: X509v3 Subject Alternative Name (2.5.29.17)
critical: TRUE
value:
0000 - 30 16 81 14 62 69 6c 6c-79 40 63 68 61 0...billy@cha
000d - 69 6e 67 75 61 72 64 2e-64 65 76 inguard.dev
object: undefined (1.3.6.1.4.1.57264.1.1)
critical: BOOL ABSENT
value:
0000 - 68 74 74 70 73 3a 2f 2f-61 63 63 6f 75 https://accou
000d - 6e 74 73 2e 67 6f 6f 67-6c 65 2e 63 6f nts.google.co
001a - 6d m
object: undefined (1.3.6.1.4.1.11129.2.4.2)
critical: BOOL ABSENT
value:
0000 - 04 7b 00 79 00 77 00 dd-3d 30 6a c6 c7 .{.y.w..=0j..
000d - 11 32 63 19 1e 1c 99 67-37 02 a2 4a 5e .2c....g7..J^
001a - b8 de 3c ad ff 87 8a 72-80 2f 29 ee 8e ..<....r./)..
0027 - 00 00 01 85 ac ee dc fa-00 00 04 03 00 .............
0034 - 48 30 46 02 21 00 a1 e2-05 30 53 6f fb H0F.!....0So.
0041 - 05 28 b6 bb 41 77 a9 7c-21 f4 a9 49 8b .(..Aw.|!..I.
004e - f8 a6 1f 35 85 a7 40 b3-07 5c cb 04 02 ...5..@..\...
005b - 21 00 f4 39 7b 17 5a 59-fa 10 1c f8 bf !..9{.ZY.....
0068 - 46 cd bc de cc e8 39 7a-03 d4 1c 78 e5 F.....9z...x.
0075 - b1 e7 7a ba 66 79 f2 c8- ..z.fy..
sig_alg:
algorithm: ecdsa-with-SHA384 (1.2.840.10045.4.3.3)
parameter: <ABSENT>
signature: (0 unused bits)
0000 - 30 65 02 30 5b 7c d7 ea-7c 5f 68 76 0b da 50 0e.0[|..|_hv..P
000f - 14 cc bf 4c 65 07 70 68-52 33 9a 85 57 ce f5 ...Le.phR3..W..
001e - ff 18 5b 8b 08 76 2a dd-7d 1a 19 7f b6 90 be ..[..v*.}......
002d - ad 24 96 9a 2a 0a d6 02-31 00 ac 15 2b 1d 00 .$..*...1...+..
003c - 6e 26 95 66 c9 6d cd 7e-e0 cd 12 0e 60 8b f9 n&.f.m.~....`..
004b - 38 a9 0a dc 01 28 9a 39-e3 cd c9 eb a5 0c 08 8....(.9.......
005a - 71 47 39 c8 dc 9d db c3-cf 8e f5 cd e9 qG9..........
crl:
<EMPTY>
signer_info:
version: 1
issuer_and_serial:
issuer: O=sigstore.dev, CN=sigstore-intermediate
serial: 0x2ECFB7E0D25F9A741FC3B19B56C4B74D25864788
digest_alg:
algorithm: sha256 (2.16.840.1.101.3.4.2.1)
parameter: <ABSENT>
auth_attr:
object: contentType (1.2.840.113549.1.9.3)
value.set:
OBJECT:pkcs7-data (1.2.840.113549.1.7.1)
object: signingTime (1.2.840.113549.1.9.5)
value.set:
UTCTIME:Jan 13 21:00:13 2023 GMT
object: messageDigest (1.2.840.113549.1.9.4)
value.set:
OCTET STRING:
0000 - 21 e9 ce 7a 69 ff 22 57-43 a2 fc c9 12 !..zi."WC....
000d - 8a 67 c6 45 e7 31 88 4c-08 3f 26 9a 13 .g.E.1.L.?&..
001a - ac 85 d6 6d f5 8e ...m..
digest_enc_alg:
algorithm: ecdsa-with-SHA256 (1.2.840.10045.4.3.2)
parameter: <ABSENT>
enc_digest:
0000 - 30 46 02 21 00 cc 5a 1e-9a 27 70 ba 1f 70 7d 0F.!..Z..'p..p}
000f - d6 f0 1c 56 f2 32 b3 d2-8f c4 63 dd 9c 82 cc ...V.2....c....
001e - 69 30 2c cd 9e 90 f9 02-21 00 82 43 0a f7 79 i0,.....!..C..y
002d - 64 41 14 6b 28 03 ac 38-2b a3 82 bd a8 a1 ea dA.k(..8+......
003c - 52 db cf f2 5f d4 84 4f-85 b4 53 53 R..._..O..SS
unauth_attr:
object: undefined (1.3.6.1.4.1.57264.3.8)
value.set:
INTEGER:6954358
object: undefined (1.3.6.1.4.1.57264.3.9)
value.set:
INTEGER:6954357
object: undefined (1.3.6.1.4.1.57264.3.1)
value.set:
INTEGER:1673643613
object: undefined (1.3.6.1.4.1.57264.3.3)
value.set:
INTEGER:11117788
object: undefined (1.3.6.1.4.1.57264.3.2)
value.set:
PRINTABLESTRING:c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d
object: undefined (1.3.6.1.4.1.57264.3.7)
value.set:
PRINTABLESTRING:373443ac6ee5e01d4bfa00666f79d5c7cee0380684ebe571fc98bdffea82f972
object: undefined (1.3.6.1.4.1.57264.3.4)
value.set:
OCTET STRING:
0000 - 30 45 02 20 00 d0 88 ff-91 18 75 1c 90 0E. ......u..
000d - 4c aa f3 37 94 45 a8 ca-1e a4 de 60 10 L..7.E.....`.
001a - 0a 22 69 03 c9 2d d2 0e-1a 9f 02 21 00 ."i..-.....!.
0027 - af cd 78 85 f2 66 5f 22-c5 d3 a2 5c fc ..x..f_"...\.
0034 - e2 c1 fe 0c f2 27 aa f0-fa fd 73 ca 5d .....'....s.]
0041 - 58 98 9c 00 df 5c X....\
object: undefined (1.3.6.1.4.1.57264.3.5)
value.set:
UTF8STRING:rekor.sigstore.dev - 2605736670972794746
6954358
NzRDrG7l4B1L+gBmb3nVx87gOAaE6+Vx/Ji9/+qC+XI=
Timestamp: 1673643613823629328
\U2014 rekor.sigstore.dev wNI9ajBFAiB1IrUY3QV0nXQF0NFuo+1WtTRRYIKhaBI4rUj0Ry3WkwIhAI6D+kvZh+NhJ7Xi4HT0kPVB0nxGjR+cOHFOU1HJbUKF
object: undefined (1.3.6.1.4.1.57264.3.6)
value.set:
SEQUENCE:
0:d=0 hl=4 l= 858 cons: SEQUENCE
4:d=1 hl=2 l= 64 prim: PRINTABLESTRING :be961775858a32f96c8d12fb8db3c3101bb4d8296f37f53f74dc2cb51c22a9ad
70:d=1 hl=2 l= 64 prim: PRINTABLESTRING :92bd4aedddebab9be5678442a28bcfbada3300e04c0726368796a6d8b32fd909
136:d=1 hl=2 l= 64 prim: PRINTABLESTRING :6e5a335c4b2f89e25d5be75ed0a724b154e0f53367bd4888c625d96f4a1e6b79
202:d=1 hl=2 l= 64 prim: PRINTABLESTRING :67bce8699de01f6fc9ac8865ee5b08ee3a6617b57328b59cc342c55a4067652b
268:d=1 hl=2 l= 64 prim: PRINTABLESTRING :f06fad8a06e8b60133ec7847be1586d517728f2da95f6e81ec9d1e4b1bbfc9d1
334:d=1 hl=2 l= 64 prim: PRINTABLESTRING :32f164dcc4d2ff3b095c4f2d2b4beb25223cffd028a53fae3cac98f70e4bbd83
400:d=1 hl=2 l= 64 prim: PRINTABLESTRING :1c3b03f4eff02f6405ef856350ffd03650d5de5271a65f0cee51ffe4fc6a99af
466:d=1 hl=2 l= 64 prim: PRINTABLESTRING :c73ab44c0792697f44a5e237a47fff42f9c4dbf869071ee08e95dec222917f09
532:d=1 hl=2 l= 64 prim: PRINTABLESTRING :e1e7772b7c20874ea1b3bebb2fd4ec5b496bcf45c338495ddbe93ae1fbcabe2c
598:d=1 hl=2 l= 64 prim: PRINTABLESTRING :5da6951fe16688f8a256fc9adf3ccda1806b811e2bc50caab99ee61ded6ef6a3
664:d=1 hl=2 l= 64 prim: PRINTABLESTRING :e7d67f5102ddeda58eda651dcba76876d01955a4eca9fce4caaf9e0ba7521cdd
730:d=1 hl=2 l= 64 prim: PRINTABLESTRING :616429db6c7d20c5b0eff1a6e512ea57a0734b94ae0bc7c914679463e01a7fba
796:d=1 hl=2 l= 64 prim: PRINTABLESTRING :5a4ad1534b1e770f02bfde0de15008a6971cf1ffbfa963fc9c2a644973a8d2d1
-----BEGIN PKCS7-----
MIIJ3gYJKoZIhvcNAQcCoIIJzzCCCcsCAQExDTALBglghkgBZQMEAgEwCwYJKoZI
hvcNAQcBoIICpTCCAqEwggInoAMCAQICFC7Pt+DSX5p0H8Oxm1bEt00lhkeIMAoG
CCqGSM49BAMDMDcxFTATBgNVBAoTDHNpZ3N0b3JlLmRldjEeMBwGA1UEAxMVc2ln
c3RvcmUtaW50ZXJtZWRpYXRlMB4XDTIzMDExMzIxMDAxM1oXDTIzMDExMzIxMTAx
M1owADBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABA0+9QWYU9JoIZ3niAcK2byO
n+MA4F0oskEkp6WTKMxF2R7uoxyNQmSrFObsQSl3Og6VlDP3QGLNJf0XNb5N1Pmj
ggFGMIIBQjAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwMwHQYD
VR0OBBYEFEbrJbk7PYdxauu65KRLsPEXS0ZYMB8GA1UdIwQYMBaAFN/T6c9WJBGW
+ajY6ShVosYuGGQ/MCIGA1UdEQEB/wQYMBaBFGJpbGx5QGNoYWluZ3VhcmQuZGV2
MCkGCisGAQQBg78wAQEEG2h0dHBzOi8vYWNjb3VudHMuZ29vZ2xlLmNvbTCBiwYK
KwYBBAHWeQIEAgR9BHsAeQB3AN09MGrGxxEyYxkeHJlnNwKiSl643jyt/4eKcoAv
Ke6OAAABhazu3PoAAAQDAEgwRgIhAKHiBTBTb/sFKLa7QXepfCH0qUmL+KYfNYWn
QLMHXMsEAiEA9Dl7F1pZ+hAc+L9GzbzezOg5egPUHHjlsed6umZ58sgwCgYIKoZI
zj0EAwMDaAAwZQIwW3zX6nxfaHYL2lAUzL9MZQdwaFIzmoVXzvX/GFuLCHYq3X0a
GX+2kL6tJJaaKgrWAjEArBUrHQBuJpVmyW3NfuDNEg5gi/k4qQrcASiaOePNyeul
DAhxRznI3J3bw8+O9c3pMYIG/zCCBvsCAQEwTzA3MRUwEwYDVQQKEwxzaWdzdG9y
ZS5kZXYxHjAcBgNVBAMTFXNpZ3N0b3JlLWludGVybWVkaWF0ZQIULs+34NJfmnQf
w7GbVsS3TSWGR4gwCwYJYIZIAWUDBAIBoGkwGAYJKoZIhvcNAQkDMQsGCSqGSIb3
DQEHATAcBgkqhkiG9w0BCQUxDxcNMjMwMTEzMjEwMDEzWjAvBgkqhkiG9w0BCQQx
IgQgIenOemn/IldDovzJEopnxkXnMYhMCD8mmhOshdZt9Y4wCgYIKoZIzj0EAwIE
SDBGAiEAzFoemidwuh9wfdbwHFbyMrPSj8Rj3ZyCzGkwLM2ekPkCIQCCQwr3eWRB
FGsoA6w4K6OCvaih6lLbz/Jf1IRPhbRTU6GCBdUwEwYKKwYBBAGDvzADCDEFAgNq
HXYwEwYKKwYBBAGDvzADCTEFAgNqHXUwFAYKKwYBBAGDvzADATEGAgRjwcZdMBQG
CisGAQQBg78wAwMxBgIEAKmk3DBQBgorBgEEAYO/MAMCMUITQGMwZDIzZDZhZDQw
Njk3M2Y5NTU5ZjNiYTJkMWNhMDFmODQxNDdkOGZmYzViODQ0NWMyMjRmOThiOTU5
MTgwMWQwUAYKKwYBBAGDvzADBzFCE0AzNzM0NDNhYzZlZTVlMDFkNGJmYTAwNjY2
Zjc5ZDVjN2NlZTAzODA2ODRlYmU1NzFmYzk4YmRmZmVhODJmOTcyMFcGCisGAQQB
g78wAwQxSQRHMEUCIADQiP+RGHUckEyq8zeURajKHqTeYBAKImkDyS3SDhqfAiEA
r814hfJmXyLF06Jc/OLB/gzyJ6rw+v1zyl1YmJwA31wwggEMBgorBgEEAYO/MAMF
MYH9DIH6cmVrb3Iuc2lnc3RvcmUuZGV2IC0gMjYwNTczNjY3MDk3Mjc5NDc0Ngo2
OTU0MzU4Ck56UkRyRzdsNEIxTCtnQm1iM25WeDg3Z09BYUU2K1Z4L0ppOS8rcUMr
WEk9ClRpbWVzdGFtcDogMTY3MzY0MzYxMzgyMzYyOTMyOAoK4oCUIHJla29yLnNp
Z3N0b3JlLmRldiB3Tkk5YWpCRkFpQjFJclVZM1FWMG5YUUYwTkZ1bysxV3RUUlJZ
SUtoYUJJNHJVajBSeTNXa3dJaEFJNkQra3ZaaCtOaEo3WGk0SFQwa1BWQjBueEdq
UitjT0hGT1UxSEpiVUtGCjCCA24GCisGAQQBg78wAwYxggNeMIIDWhNAYmU5NjE3
NzU4NThhMzJmOTZjOGQxMmZiOGRiM2MzMTAxYmI0ZDgyOTZmMzdmNTNmNzRkYzJj
YjUxYzIyYTlhZBNAOTJiZDRhZWRkZGViYWI5YmU1Njc4NDQyYTI4YmNmYmFkYTMz
MDBlMDRjMDcyNjM2ODc5NmE2ZDhiMzJmZDkwORNANmU1YTMzNWM0YjJmODllMjVk
NWJlNzVlZDBhNzI0YjE1NGUwZjUzMzY3YmQ0ODg4YzYyNWQ5NmY0YTFlNmI3ORNA
NjdiY2U4Njk5ZGUwMWY2ZmM5YWM4ODY1ZWU1YjA4ZWUzYTY2MTdiNTczMjhiNTlj
YzM0MmM1NWE0MDY3NjUyYhNAZjA2ZmFkOGEwNmU4YjYwMTMzZWM3ODQ3YmUxNTg2
ZDUxNzcyOGYyZGE5NWY2ZTgxZWM5ZDFlNGIxYmJmYzlkMRNAMzJmMTY0ZGNjNGQy
ZmYzYjA5NWM0ZjJkMmI0YmViMjUyMjNjZmZkMDI4YTUzZmFlM2NhYzk4ZjcwZTRi
YmQ4MxNAMWMzYjAzZjRlZmYwMmY2NDA1ZWY4NTYzNTBmZmQwMzY1MGQ1ZGU1Mjcx
YTY1ZjBjZWU1MWZmZTRmYzZhOTlhZhNAYzczYWI0NGMwNzkyNjk3ZjQ0YTVlMjM3
YTQ3ZmZmNDJmOWM0ZGJmODY5MDcxZWUwOGU5NWRlYzIyMjkxN2YwORNAZTFlNzc3
MmI3YzIwODc0ZWExYjNiZWJiMmZkNGVjNWI0OTZiY2Y0NWMzMzg0OTVkZGJlOTNh
ZTFmYmNhYmUyYxNANWRhNjk1MWZlMTY2ODhmOGEyNTZmYzlhZGYzY2NkYTE4MDZi
ODExZTJiYzUwY2FhYjk5ZWU2MWRlZDZlZjZhMxNAZTdkNjdmNTEwMmRkZWRhNThl
ZGE2NTFkY2JhNzY4NzZkMDE5NTVhNGVjYTlmY2U0Y2FhZjllMGJhNzUyMWNkZBNA
NjE2NDI5ZGI2YzdkMjBjNWIwZWZmMWE2ZTUxMmVhNTdhMDczNGI5NGFlMGJjN2M5
MTQ2Nzk0NjNlMDFhN2ZiYRNANWE0YWQxNTM0YjFlNzcwZjAyYmZkZTBkZTE1MDA4
YTY5NzFjZjFmZmJmYTk2M2ZjOWMyYTY0NDk3M2E4ZDJkMQ==
-----END PKCS7-----