From e1bb0e2cb68265458d4540ae566c255263d918a2 Mon Sep 17 00:00:00 2001 From: Billy Lynch Date: Thu, 11 Jan 2024 14:42:52 -0500 Subject: git: worktree_commit, Add crypto.Signer option to CommitOptions. This change adds a new crypto.Signer option to CommitOptions as an alternative to SignKey to allow alternative commit signers to be used. This change byitself does not add other signing methods (e.g. ssh, x509, gitsign), but gives callers the ability to add their own. This roughly follows git's sign_buffer approach where go-git handles the commit message body encoding, and hands off the encoded []byte to the signing implementation for the signature to be returned. Signed-off-by: Billy Lynch --- worktree_commit.go | 53 +++++++++++++++++++++++++++++++++++++++++++---------- 1 file changed, 43 insertions(+), 10 deletions(-) (limited to 'worktree_commit.go') diff --git a/worktree_commit.go b/worktree_commit.go index 4d811f3..18002f2 100644 --- a/worktree_commit.go +++ b/worktree_commit.go @@ -2,7 +2,10 @@ package git import ( "bytes" + "crypto" + "crypto/rand" "errors" + "io" "path" "sort" "strings" @@ -14,6 +17,7 @@ import ( "github.com/go-git/go-git/v5/storage" "github.com/ProtonMail/go-crypto/openpgp" + "github.com/ProtonMail/go-crypto/openpgp/packet" "github.com/go-git/go-billy/v5" ) @@ -125,12 +129,17 @@ func (w *Worktree) buildCommitObject(msg string, opts *CommitOptions, tree plumb ParentHashes: opts.Parents, } - if opts.SignKey != nil { - sig, err := w.buildCommitSignature(commit, opts.SignKey) + // Convert SignKey into a Signer if set. Existing Signer should take priority. + signer := opts.Signer + if signer == nil && opts.SignKey != nil { + signer = &gpgSigner{key: opts.SignKey} + } + if signer != nil { + sig, err := w.buildCommitSignature(commit, signer) if err != nil { return plumbing.ZeroHash, err } - commit.PGPSignature = sig + commit.PGPSignature = string(sig) } obj := w.r.Storer.NewEncodedObject() @@ -140,20 +149,44 @@ func (w *Worktree) buildCommitObject(msg string, opts *CommitOptions, tree plumb return w.r.Storer.SetEncodedObject(obj) } -func (w *Worktree) buildCommitSignature(commit *object.Commit, signKey *openpgp.Entity) (string, error) { +type gpgSigner struct { + key *openpgp.Entity +} + +func (s *gpgSigner) Public() crypto.PublicKey { + return s.key.PrimaryKey +} + +func (s *gpgSigner) Sign(rand io.Reader, digest []byte, opts crypto.SignerOpts) ([]byte, error) { + var cfg *packet.Config + if opts != nil { + cfg = &packet.Config{ + DefaultHash: opts.HashFunc(), + } + } + + var b bytes.Buffer + if err := openpgp.ArmoredDetachSign(&b, s.key, bytes.NewReader(digest), cfg); err != nil { + return nil, err + } + return b.Bytes(), nil +} + +func (w *Worktree) buildCommitSignature(commit *object.Commit, signer crypto.Signer) ([]byte, error) { encoded := &plumbing.MemoryObject{} if err := commit.Encode(encoded); err != nil { - return "", err + return nil, err } r, err := encoded.Reader() if err != nil { - return "", err + return nil, err } - var b bytes.Buffer - if err := openpgp.ArmoredDetachSign(&b, signKey, r, nil); err != nil { - return "", err + b, err := io.ReadAll(r) + if err != nil { + return nil, err } - return b.String(), nil + + return signer.Sign(rand.Reader, b, nil) } // buildTreeHelper converts a given index.Index file into multiple git objects -- cgit