12 files changed, 204 insertions, 23 deletions

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 96090c0..a04763d 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -34,3 +34,6 @@ jobs:
 
     - name: Test
       run: make test-coverage
+
+    - name: Test Examples
+      run: go test -timeout 30s -v -run '^TestExamples$' github.com/go-git/go-git/v5/_examples --examples
diff --git a/go.mod b/go.mod
index 7d9da29..de11ca9 100644
--- a/go.mod
+++ b/go.mod
@@ -19,7 +19,7 @@ require (
 	github.com/kevinburke/ssh_config v1.2.0
 	github.com/pjbgf/sha1cd v0.3.0
 	github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3
-	github.com/skeema/knownhosts v1.2.2
+	github.com/skeema/knownhosts v1.3.0
 	github.com/stretchr/testify v1.9.0
 	github.com/xanzy/ssh-agent v0.3.3
 	golang.org/x/crypto v0.25.0
diff --git a/go.sum b/go.sum
index bbca9f1..1e54947 100644
--- a/go.sum
+++ b/go.sum
@@ -64,8 +64,8 @@ github.com/rogpeppe/go-internal v1.11.0/go.mod h1:ddIwULY96R17DhadqLgMfk9H9tvdUz
 github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3 h1:n661drycOFuPLCN3Uc8sB6B/s6Z4t2xvBgU1htSHuq8=
 github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3/go.mod h1:A0bzQcvG0E7Rwjx0REVgAGH58e96+X0MeOfepqsbeW4=
 github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
-github.com/skeema/knownhosts v1.2.2 h1:Iug2P4fLmDw9f41PB6thxUkNUkJzB5i+1/exaj40L3A=
-github.com/skeema/knownhosts v1.2.2/go.mod h1:xYbVRSPxqBZFrdmDyMmsOs+uX1UZC3nTN3ThzgDxUwo=
+github.com/skeema/knownhosts v1.3.0 h1:AM+y0rI04VksttfwjkSTNQorvGqmwATnvnAHpSgc0LY=
+github.com/skeema/knownhosts v1.3.0/go.mod h1:sPINvnADmT/qYH1kfv+ePMmOBTH6Tbl7b5LvTDjFK7M=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
diff --git a/plumbing/format/gitignore/dir.go b/plumbing/format/gitignore/dir.go
index aca5d0d..92df5a3 100644
--- a/plumbing/format/gitignore/dir.go
+++ b/plumbing/format/gitignore/dir.go
@@ -64,6 +64,10 @@ func ReadPatterns(fs billy.Filesystem, path []string) (ps []Pattern, err error)
 
 	for _, fi := range fis {
 		if fi.IsDir() && fi.Name() != gitDir {
+			if NewMatcher(ps).Match(append(path, fi.Name()), true) {
+				continue
+			}
+
 			var subps []Pattern
 			subps, err = ReadPatterns(fs, append(path, fi.Name()))
 			if err != nil {
diff --git a/plumbing/format/gitignore/dir_test.go b/plumbing/format/gitignore/dir_test.go
index 465c571..ba8ad80 100644
--- a/plumbing/format/gitignore/dir_test.go
+++ b/plumbing/format/gitignore/dir_test.go
@@ -44,6 +44,8 @@ func (s *MatcherSuite) SetUpTest(c *C) {
 	c.Assert(err, IsNil)
 	_, err = f.Write([]byte("ignore.crlf\r\n"))
 	c.Assert(err, IsNil)
+	_, err = f.Write([]byte("ignore_dir\n"))
+	c.Assert(err, IsNil)
 	err = f.Close()
 	c.Assert(err, IsNil)
 
@@ -56,6 +58,17 @@ func (s *MatcherSuite) SetUpTest(c *C) {
 	err = f.Close()
 	c.Assert(err, IsNil)
 
+	err = fs.MkdirAll("ignore_dir", os.ModePerm)
+	c.Assert(err, IsNil)
+	f, err = fs.Create("ignore_dir/.gitignore")
+	c.Assert(err, IsNil)
+	_, err = f.Write([]byte("!file\n"))
+	c.Assert(err, IsNil)
+	_, err = fs.Create("ignore_dir/file")
+	c.Assert(err, IsNil)
+	err = f.Close()
+	c.Assert(err, IsNil)
+
 	err = fs.MkdirAll("another", os.ModePerm)
 	c.Assert(err, IsNil)
 	err = fs.MkdirAll("exclude.crlf", os.ModePerm)
@@ -267,12 +280,13 @@ func (s *MatcherSuite) SetUpTest(c *C) {
 
 func (s *MatcherSuite) TestDir_ReadPatterns(c *C) {
 	checkPatterns := func(ps []Pattern) {
-		c.Assert(ps, HasLen, 6)
+		c.Assert(ps, HasLen, 7)
 		m := NewMatcher(ps)
 
 		c.Assert(m.Match([]string{"exclude.crlf"}, true), Equals, true)
 		c.Assert(m.Match([]string{"ignore.crlf"}, true), Equals, true)
 		c.Assert(m.Match([]string{"vendor", "gopkg.in"}, true), Equals, true)
+		c.Assert(m.Match([]string{"ignore_dir", "file"}, false), Equals, true)
 		c.Assert(m.Match([]string{"vendor", "github.com"}, true), Equals, false)
 		c.Assert(m.Match([]string{"multiple", "sub", "ignores", "first", "ignore_dir"}, true), Equals, true)
 		c.Assert(m.Match([]string{"multiple", "sub", "ignores", "second", "ignore_dir"}, true), Equals, true)
diff --git a/plumbing/transport/common.go b/plumbing/transport/common.go
index b05437f..fae1aa9 100644
--- a/plumbing/transport/common.go
+++ b/plumbing/transport/common.go
@@ -19,6 +19,7 @@ import (
 	"fmt"
 	"io"
 	"net/url"
+	"path/filepath"
 	"strconv"
 	"strings"
 
@@ -295,7 +296,11 @@ func parseFile(endpoint string) (*Endpoint, bool) {
 		return nil, false
 	}
 
-	path := endpoint
+	path, err := filepath.Abs(endpoint)
+	if err != nil {
+		return nil, false
+	}
+
 	return &Endpoint{
 		Protocol: "file",
 		Path:     path,
diff --git a/plumbing/transport/common_test.go b/plumbing/transport/common_test.go
index 3efc555..1501f73 100644
--- a/plumbing/transport/common_test.go
+++ b/plumbing/transport/common_test.go
@@ -3,6 +3,9 @@ package transport
 import (
 	"fmt"
 	"net/url"
+	"os"
+	"path/filepath"
+	"runtime"
 	"testing"
 
 	"github.com/go-git/go-git/v5/plumbing/protocol/packp/capability"
@@ -120,6 +123,14 @@ func (s *SuiteCommon) TestNewEndpointSCPLikeWithPort(c *C) {
 }
 
 func (s *SuiteCommon) TestNewEndpointFileAbs(c *C) {
+	var err error
+	abs := "/foo.git"
+
+	if runtime.GOOS == "windows" {
+		abs, err = filepath.Abs(abs)
+		c.Assert(err, IsNil)
+	}
+
 	e, err := NewEndpoint("/foo.git")
 	c.Assert(err, IsNil)
 	c.Assert(e.Protocol, Equals, "file")
@@ -127,11 +138,14 @@ func (s *SuiteCommon) TestNewEndpointFileAbs(c *C) {
 	c.Assert(e.Password, Equals, "")
 	c.Assert(e.Host, Equals, "")
 	c.Assert(e.Port, Equals, 0)
-	c.Assert(e.Path, Equals, "/foo.git")
-	c.Assert(e.String(), Equals, "file:///foo.git")
+	c.Assert(e.Path, Equals, abs)
+	c.Assert(e.String(), Equals, "file://"+abs)
 }
 
 func (s *SuiteCommon) TestNewEndpointFileRel(c *C) {
+	abs, err := filepath.Abs("foo.git")
+	c.Assert(err, IsNil)
+
 	e, err := NewEndpoint("foo.git")
 	c.Assert(err, IsNil)
 	c.Assert(e.Protocol, Equals, "file")
@@ -139,11 +153,20 @@ func (s *SuiteCommon) TestNewEndpointFileRel(c *C) {
 	c.Assert(e.Password, Equals, "")
 	c.Assert(e.Host, Equals, "")
 	c.Assert(e.Port, Equals, 0)
-	c.Assert(e.Path, Equals, "foo.git")
-	c.Assert(e.String(), Equals, "file://foo.git")
+	c.Assert(e.Path, Equals, abs)
+	c.Assert(e.String(), Equals, "file://"+abs)
 }
 
 func (s *SuiteCommon) TestNewEndpointFileWindows(c *C) {
+	abs := "C:\\foo.git"
+
+	if runtime.GOOS != "windows" {
+		cwd, err := os.Getwd()
+		c.Assert(err, IsNil)
+
+		abs = filepath.Join(cwd, "C:\\foo.git")
+	}
+
 	e, err := NewEndpoint("C:\\foo.git")
 	c.Assert(err, IsNil)
 	c.Assert(e.Protocol, Equals, "file")
@@ -151,8 +174,8 @@ func (s *SuiteCommon) TestNewEndpointFileWindows(c *C) {
 	c.Assert(e.Password, Equals, "")
 	c.Assert(e.Host, Equals, "")
 	c.Assert(e.Port, Equals, 0)
-	c.Assert(e.Path, Equals, "C:\\foo.git")
-	c.Assert(e.String(), Equals, "file://C:\\foo.git")
+	c.Assert(e.Path, Equals, abs)
+	c.Assert(e.String(), Equals, "file://"+abs)
 }
 
 func (s *SuiteCommon) TestNewEndpointFileURL(c *C) {
diff --git a/plumbing/transport/ssh/auth_method.go b/plumbing/transport/ssh/auth_method.go
index ac4e358..f9c598e 100644
--- a/plumbing/transport/ssh/auth_method.go
+++ b/plumbing/transport/ssh/auth_method.go
@@ -230,11 +230,11 @@ func (a *PublicKeysCallback) ClientConfig() (*ssh.ClientConfig, error) {
 //	~/.ssh/known_hosts
 //	/etc/ssh/ssh_known_hosts
 func NewKnownHostsCallback(files ...string) (ssh.HostKeyCallback, error) {
-	kh, err := newKnownHosts(files...)
-	return ssh.HostKeyCallback(kh), err
+	db, err := newKnownHostsDb(files...)
+	return db.HostKeyCallback(), err
 }
 
-func newKnownHosts(files ...string) (knownhosts.HostKeyCallback, error) {
+func newKnownHostsDb(files ...string) (*knownhosts.HostKeyDB, error) {
 	var err error
 
 	if len(files) == 0 {
@@ -247,7 +247,7 @@ func newKnownHosts(files ...string) (knownhosts.HostKeyCallback, error) {
 		return nil, err
 	}
 
-	return knownhosts.New(files...)
+	return knownhosts.NewDB(files...)
 }
 
 func getDefaultKnownHostsFiles() ([]string, error) {
@@ -301,11 +301,12 @@ type HostKeyCallbackHelper struct {
 // HostKeyCallback is empty a default callback is created using
 // NewKnownHostsCallback.
 func (m *HostKeyCallbackHelper) SetHostKeyCallback(cfg *ssh.ClientConfig) (*ssh.ClientConfig, error) {
-	var err error
 	if m.HostKeyCallback == nil {
-		if m.HostKeyCallback, err = NewKnownHostsCallback(); err != nil {
+		db, err := newKnownHostsDb()
+		if err != nil {
 			return cfg, err
 		}
+		m.HostKeyCallback = db.HostKeyCallback()
 	}
 
 	cfg.HostKeyCallback = m.HostKeyCallback
diff --git a/plumbing/transport/ssh/auth_method_test.go b/plumbing/transport/ssh/auth_method_test.go
index b275018..e3f652e 100644
--- a/plumbing/transport/ssh/auth_method_test.go
+++ b/plumbing/transport/ssh/auth_method_test.go
@@ -18,7 +18,8 @@ import (
 type (
 	SuiteCommon struct{}
 
-	mockKnownHosts struct{}
+	mockKnownHosts         struct{}
+	mockKnownHostsWithCert struct{}
 )
 
 func (mockKnownHosts) host() string { return "github.com" }
@@ -27,6 +28,19 @@ func (mockKnownHosts) knownHosts() []byte {
 }
 func (mockKnownHosts) Network() string { return "tcp" }
 func (mockKnownHosts) String() string  { return "github.com:22" }
+func (mockKnownHosts) Algorithms() []string {
+	return []string{ssh.KeyAlgoRSA, ssh.KeyAlgoRSASHA256, ssh.KeyAlgoRSASHA512}
+}
+
+func (mockKnownHostsWithCert) host() string { return "github.com" }
+func (mockKnownHostsWithCert) knownHosts() []byte {
+	return []byte(`@cert-authority github.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==`)
+}
+func (mockKnownHostsWithCert) Network() string { return "tcp" }
+func (mockKnownHostsWithCert) String() string  { return "github.com:22" }
+func (mockKnownHostsWithCert) Algorithms() []string {
+	return []string{ssh.CertAlgoRSASHA512v01, ssh.CertAlgoRSASHA256v01, ssh.CertAlgoRSAv01}
+}
 
 var _ = Suite(&SuiteCommon{})
 
@@ -230,3 +244,93 @@ func (*SuiteCommon) TestNewKnownHostsCallback(c *C) {
 	err = clb(mock.String(), mock, hostKey)
 	c.Assert(err, IsNil)
 }
+
+func (*SuiteCommon) TestNewKnownHostsDbWithoutCert(c *C) {
+	if runtime.GOOS == "js" {
+		c.Skip("not available in wasm")
+	}
+
+	var mock = mockKnownHosts{}
+
+	f, err := util.TempFile(osfs.Default, "", "known-hosts")
+	c.Assert(err, IsNil)
+
+	_, err = f.Write(mock.knownHosts())
+	c.Assert(err, IsNil)
+
+	err = f.Close()
+	c.Assert(err, IsNil)
+
+	defer util.RemoveAll(osfs.Default, f.Name())
+
+	f, err = osfs.Default.Open(f.Name())
+	c.Assert(err, IsNil)
+
+	defer f.Close()
+
+	db, err := newKnownHostsDb(f.Name())
+	c.Assert(err, IsNil)
+
+	algos := db.HostKeyAlgorithms(mock.String())
+	c.Assert(algos, HasLen, len(mock.Algorithms()))
+
+	contains := func(container []string, value string) bool {
+		for _, inner := range container {
+			if inner == value {
+				return true
+			}
+		}
+		return false
+	}
+
+	for _, algorithm := range mock.Algorithms() {
+		if !contains(algos, algorithm) {
+			c.Error("algos does not contain ", algorithm)
+		}
+	}
+}
+
+func (*SuiteCommon) TestNewKnownHostsDbWithCert(c *C) {
+	if runtime.GOOS == "js" {
+		c.Skip("not available in wasm")
+	}
+
+	var mock = mockKnownHostsWithCert{}
+
+	f, err := util.TempFile(osfs.Default, "", "known-hosts")
+	c.Assert(err, IsNil)
+
+	_, err = f.Write(mock.knownHosts())
+	c.Assert(err, IsNil)
+
+	err = f.Close()
+	c.Assert(err, IsNil)
+
+	defer util.RemoveAll(osfs.Default, f.Name())
+
+	f, err = osfs.Default.Open(f.Name())
+	c.Assert(err, IsNil)
+
+	defer f.Close()
+
+	db, err := newKnownHostsDb(f.Name())
+	c.Assert(err, IsNil)
+
+	algos := db.HostKeyAlgorithms(mock.String())
+	c.Assert(algos, HasLen, len(mock.Algorithms()))
+
+	contains := func(container []string, value string) bool {
+		for _, inner := range container {
+			if inner == value {
+				return true
+			}
+		}
+		return false
+	}
+
+	for _, algorithm := range mock.Algorithms() {
+		if !contains(algos, algorithm) {
+			c.Error("algos does not contain ", algorithm)
+		}
+	}
+}
diff --git a/plumbing/transport/ssh/common.go b/plumbing/transport/ssh/common.go
index 05dea44..a37024f 100644
--- a/plumbing/transport/ssh/common.go
+++ b/plumbing/transport/ssh/common.go
@@ -11,7 +11,6 @@ import (
 
 	"github.com/go-git/go-git/v5/plumbing/transport"
 	"github.com/go-git/go-git/v5/plumbing/transport/internal/common"
-	"github.com/skeema/knownhosts"
 
 	"github.com/kevinburke/ssh_config"
 	"golang.org/x/crypto/ssh"
@@ -127,17 +126,25 @@ func (c *command) connect() error {
 	}
 	hostWithPort := c.getHostWithPort()
 	if config.HostKeyCallback == nil {
-		kh, err := newKnownHosts()
+		db, err := newKnownHostsDb()
 		if err != nil {
 			return err
 		}
-		config.HostKeyCallback = kh.HostKeyCallback()
-		config.HostKeyAlgorithms = kh.HostKeyAlgorithms(hostWithPort)
+
+		config.HostKeyCallback = db.HostKeyCallback()
+		config.HostKeyAlgorithms = db.HostKeyAlgorithms(hostWithPort)
 	} else if len(config.HostKeyAlgorithms) == 0 {
 		// Set the HostKeyAlgorithms based on HostKeyCallback.
 		// For background see https://github.com/go-git/go-git/issues/411 as well as
 		// https://github.com/golang/go/issues/29286 for root cause.
-		config.HostKeyAlgorithms = knownhosts.HostKeyAlgorithms(config.HostKeyCallback, hostWithPort)
+		db, err := newKnownHostsDb()
+		if err != nil {
+			return err
+		}
+
+		// Note that the knownhost database is used, as it provides additional functionality
+		// to handle ssh cert-authorities.
+		config.HostKeyAlgorithms = db.HostKeyAlgorithms(hostWithPort)
 	}
 
 	overrideConfig(c.config, config)
diff --git a/utils/merkletrie/change.go b/utils/merkletrie/change.go
index cc6dc89..450feb4 100644
--- a/utils/merkletrie/change.go
+++ b/utils/merkletrie/change.go
@@ -1,12 +1,17 @@
 package merkletrie
 
 import (
+	"errors"
 	"fmt"
 	"io"
 
 	"github.com/go-git/go-git/v5/utils/merkletrie/noder"
 )
 
+var (
+	ErrEmptyFileName = errors.New("empty filename in tree entry")
+)
+
 // Action values represent the kind of things a Change can represent:
 // insertion, deletions or modifications of files.
 type Action int
@@ -121,6 +126,10 @@ func (l *Changes) AddRecursiveDelete(root noder.Path) error {
 type noderToChangeFn func(noder.Path) Change // NewInsert or NewDelete
 
 func (l *Changes) addRecursive(root noder.Path, ctor noderToChangeFn) error {
+	if root.String() == "" {
+		return ErrEmptyFileName
+	}
+
 	if !root.IsDir() {
 		l.Add(ctor(root))
 		return nil
diff --git a/utils/merkletrie/change_test.go b/utils/merkletrie/change_test.go
index f73eb86..cd28bfe 100644
--- a/utils/merkletrie/change_test.go
+++ b/utils/merkletrie/change_test.go
@@ -28,6 +28,17 @@ func (s *ChangeSuite) TestUnsupportedAction(c *C) {
 	c.Assert(a.String, PanicMatches, "unsupported action.*")
 }
 
+func (s ChangeSuite) TestEmptyChanges(c *C) {
+	ret := merkletrie.NewChanges()
+	p := noder.Path{}
+
+	err := ret.AddRecursiveInsert(p)
+	c.Assert(err, Equals, merkletrie.ErrEmptyFileName)
+
+	err = ret.AddRecursiveDelete(p)
+	c.Assert(err, Equals, merkletrie.ErrEmptyFileName)
+}
+
 func (s ChangeSuite) TestNewInsert(c *C) {
 	tree, err := fsnoder.New("(a(b(z<>)))")
 	c.Assert(err, IsNil)