plumbing: object/tag, add signature verification

1 files changed, 29 insertions, 0 deletions

diff --git a/plumbing/object/tag.go b/plumbing/object/tag.go
index 6295205..9b4250f 100644
--- a/plumbing/object/tag.go
+++ b/plumbing/object/tag.go
@@ -8,6 +8,8 @@ import (
 	stdioutil "io/ioutil"
 	"strings"
 
+	"golang.org/x/crypto/openpgp"
+
 	"gopkg.in/src-d/go-git.v4/plumbing"
 	"gopkg.in/src-d/go-git.v4/plumbing/storer"
 	"gopkg.in/src-d/go-git.v4/utils/ioutil"
@@ -267,6 +269,33 @@ func (t *Tag) String() string {
 	)
 }
 
+// Verify performs PGP verification of the tag with a provided armored
+// keyring and returns openpgp.Entity associated with verifying key on success.
+func (t *Tag) Verify(armoredKeyRing string) (*openpgp.Entity, error) {
+	keyRingReader := strings.NewReader(armoredKeyRing)
+	keyring, err := openpgp.ReadArmoredKeyRing(keyRingReader)
+	if err != nil {
+		return nil, err
+	}
+
+	// Extract signature.
+	signature := strings.NewReader(t.PGPSignature)
+
+	// Remove signature. Keep only the tag components.
+	t.PGPSignature = ""
+
+	encoded := &plumbing.MemoryObject{}
+	if err := t.Encode(encoded); err != nil {
+		return nil, err
+	}
+	er, err := encoded.Reader()
+	if err != nil {
+		return nil, err
+	}
+
+	return openpgp.CheckArmoredDetachedSignature(keyring, er, signature)
+}
+
 // TagIter provides an iterator for a set of tags.
 type TagIter struct {
 	storer.EncodedObjectIter