plumbing: object, Align Tag.EncodeWithoutSignature with Commit

pjbgf · pjbgf · commit fe8ed6223a60 · 2026-05-06T15:25:49.000+01:00
Tag verification re-encoded from struct fields, so any non-canonical
bytes the signature was computed over (duplicate headers, mutation-only
fields like Signature/SignatureSHA256, etc.) were lost from the payload
and signatures that were valid in upstream Git failed in go-git.

Mirror the approach already used by Commit: retain a reference to the
source plumbing.EncodedObject on Decode, add matchesSource() so
EncodeWithoutSignature can stream the raw bytes (with the inline
trailing PGP block truncated and gpgsig/gpgsig-sha256 headers stripped)
when the struct still matches the source. Mutating struct fields still
falls back to the struct-encoded payload.

Assisted-by: Claude Opus 4.7 &lt;noreply@anthropic.com&gt;
Signed-off-by: Paulo Gomes &lt;paulo@entire.io&gt;
diff --git a/plumbing/object/commit.go b/plumbing/object/commit.go
@@ -5,7 +5,6 @@ import (
 	"context"
 	"errors"
 	"fmt"
-	"io"
 	"slices"
 	"strings"
 
@@ -299,7 +298,7 @@ func (c *Commit) Encode(o plumbing.EncodedObject) error {
 //     representation prevails.
 func (c *Commit) EncodeWithoutSignature(o plumbing.EncodedObject) error {
 	if c.matchesSource() {
-		return stripSignaturesFromRaw(o, c.src)
+		return stripObjectSignatures(o, c.src, plumbing.CommitObject)
 	}
 	return c.encode(o, false)
 }
@@ -338,69 +337,6 @@ func signatureEqual(a, b Signature) bool {
 		a.When.Format("-0700") == b.When.Format("-0700")
 }
 
-// stripSignaturesFromRaw streams src into dst, dropping the canonical commit
-// signature headers ("gpgsig " and "gpgsig-sha256 ") together with their
-// continuation lines (those starting with a space). Everything past the
-// blank line that ends the header block is copied verbatim, as is any other
-// "gpgsig"-prefixed extra header (for example a user-defined "gpgsig-key-id")
-// that does not match one of the canonical signature headers.
-func stripSignaturesFromRaw(dst, src plumbing.EncodedObject) (err error) {
-	dst.SetType(plumbing.CommitObject)
-
-	r, err := src.Reader()
-	if err != nil {
-		return err
-	}
-	defer ioutil.CheckClose(r, &err)
-
-	w, err := dst.Writer()
-	if err != nil {
-		return err
-	}
-	defer ioutil.CheckClose(w, &err)
-
-	br := sync.GetBufioReader(r)
-	defer sync.PutBufioReader(br)
-
-	var inBody, skipping bool
-	for {
-		line, rerr := br.ReadBytes('\n')
-		if rerr != nil && rerr != io.EOF {
-			return rerr
-		}
-
-		write := true
-		if !inBody {
-			switch {
-			case skipping && len(line) > 0 && line[0] == ' ':
-				write = false
-			case isSignatureHeader(line):
-				skipping = true
-				write = false
-			case len(line) == 1 && line[0] == '\n':
-				skipping = false
-				inBody = true
-			default:
-				skipping = false
-			}
-		}
-
-		if write && len(line) > 0 {
-			if _, werr := w.Write(line); werr != nil {
-				return werr
-			}
-		}
-		if rerr == io.EOF {
-			return nil
-		}
-	}
-}
-
-func isSignatureHeader(line []byte) bool {
-	return bytes.HasPrefix(line, []byte(headerpgp+" ")) ||
-		bytes.HasPrefix(line, []byte(headerpgp256+" "))
-}
-
 func isStandardHeader(key string) bool {
 	switch key {
 	case "tree", "parent", "author", "committer",
diff --git a/plumbing/object/signature.go b/plumbing/object/signature.go
@@ -1,6 +1,13 @@
 package object
 
-import "bytes"
+import (
+	"bytes"
+	"io"
+
+	"github.com/go-git/go-git/v5/plumbing"
+	"github.com/go-git/go-git/v5/utils/ioutil"
+	"github.com/go-git/go-git/v5/utils/sync"
+)
 
 const (
 	signatureTypeUnknown signatureType = iota
@@ -100,3 +107,95 @@ func parseSignedBytes(b []byte) (int, signatureType) {
 	}
 	return match, t
 }
+
+// isSignatureHeader reports whether line is a canonical "gpgsig "/
+// "gpgsig-sha256 " header line. Other "gpgsig"-prefixed extra headers
+// are intentionally not matched.
+func isSignatureHeader(line []byte) bool {
+	return bytes.HasPrefix(line, []byte(headerpgp+" ")) ||
+		bytes.HasPrefix(line, []byte(headerpgp256+" "))
+}
+
+// stripObjectSignatures streams src into dst, producing the byte sequence
+// over which a PGP/GPG signature is computed:
+//
+//   - Canonical "gpgsig" and "gpgsig-sha256" headers (and their
+//     continuation lines) are dropped, mirroring upstream's
+//     remove_signature in commit.c.
+//   - For tag objects, the inline trailing PGP signature is additionally
+//     truncated, mirroring upstream's parse_signature in gpg-interface.c
+//     used by gpg_verify_tag.
+//
+// The returned object's type is set to objType. Used by both
+// Commit.EncodeWithoutSignature and Tag.EncodeWithoutSignature to
+// reproduce the exact bytes the signature was computed over.
+func stripObjectSignatures(dst, src plumbing.EncodedObject, objType plumbing.ObjectType) (err error) {
+	dst.SetType(objType)
+
+	r, err := src.Reader()
+	if err != nil {
+		return err
+	}
+	defer ioutil.CheckClose(r, &err)
+
+	var input io.Reader = r
+	if objType == plumbing.TagObject {
+		raw, err := io.ReadAll(r)
+		if err != nil {
+			return err
+		}
+		if sm, _ := parseSignedBytes(raw); sm >= 0 {
+			raw = raw[:sm]
+		}
+		input = bytes.NewReader(raw)
+	}
+
+	w, err := dst.Writer()
+	if err != nil {
+		return err
+	}
+	defer ioutil.CheckClose(w, &err)
+
+	return stripHeaderSignatures(w, input)
+}
+
+// stripHeaderSignatures copies r to w, dropping canonical signature header
+// lines (gpgsig and gpgsig-sha256) and their continuation lines. Lines
+// past the blank line that closes the header block are copied verbatim.
+func stripHeaderSignatures(w io.Writer, r io.Reader) error {
+	br := sync.GetBufioReader(r)
+	defer sync.PutBufioReader(br)
+
+	var inBody, skipping bool
+	for {
+		line, rerr := br.ReadBytes('\n')
+		if rerr != nil && rerr != io.EOF {
+			return rerr
+		}
+
+		write := true
+		if !inBody {
+			switch {
+			case skipping && len(line) > 0 && line[0] == ' ':
+				write = false
+			case isSignatureHeader(line):
+				skipping = true
+				write = false
+			case len(line) == 1 && line[0] == '\n':
+				skipping = false
+				inBody = true
+			default:
+				skipping = false
+			}
+		}
+
+		if write && len(line) > 0 {
+			if _, werr := w.Write(line); werr != nil {
+				return werr
+			}
+		}
+		if rerr == io.EOF {
+			return nil
+		}
+	}
+}
diff --git a/plumbing/object/tag.go b/plumbing/object/tag.go
@@ -39,6 +39,9 @@ type Tag struct {
 	Target plumbing.Hash
 
 	s storer.EncodedObjectStorer
+	// src holds the encoded object this Tag was decoded from, used by
+	// EncodeWithoutSignature to recover the canonical signed bytes.
+	src plumbing.EncodedObject
 }
 
 // GetTag gets a tag from an object storer and decodes it.
@@ -84,6 +87,7 @@ func (t *Tag) Decode(o plumbing.EncodedObject) (err error) {
 	}
 
 	t.Hash = o.Hash()
+	t.src = o
 
 	reader, err := o.Reader()
 	if err != nil {
@@ -162,11 +166,54 @@ func (t *Tag) Encode(o plumbing.EncodedObject) error {
 	return t.encode(o, true)
 }
 
-// EncodeWithoutSignature export a Tag into a plumbing.EncodedObject without the signature (correspond to the payload of the PGP signature).
+// EncodeWithoutSignature exports a Tag into a plumbing.EncodedObject without
+// any signature data, producing the payload that PGP/GPG signatures are
+// computed over.
+//
+// Behaviour mirrors Commit.EncodeWithoutSignature:
+//
+//   - For Tags populated by Decode whose exported fields still match the
+//     source object, the payload is streamed from the raw source bytes with
+//     the inline trailing signature truncated and gpgsig/gpgsig-sha256
+//     headers (and their continuation lines) stripped verbatim. This
+//     preserves the exact bytes the signature was computed over, regardless
+//     of any normalization performed by Decode.
+//
+//   - For Tags constructed in memory, or for decoded Tags whose exported
+//     fields have been mutated, the payload is derived from the current
+//     struct fields. Mutation is detected by re-decoding the source object
+//     and comparing exported fields; if any differ, the in-memory
+//     representation prevails.
 func (t *Tag) EncodeWithoutSignature(o plumbing.EncodedObject) error {
+	if t.matchesSource() {
+		return stripObjectSignatures(o, t.src, plumbing.TagObject)
+	}
 	return t.encode(o, false)
 }
 
+// matchesSource reports whether t.src is set and re-decoding it produces a
+// Tag whose payload-affecting exported fields are identical to those of t.
+//
+// PGPSignature is intentionally excluded from the comparison: neither path
+// emits it as part of the verification payload, so mutating it must not
+// trigger a switch to struct-encode (which would change the byte layout the
+// caller is trying to verify against).
+func (t *Tag) matchesSource() bool {
+	if t.src == nil {
+		return false
+	}
+	fresh := &Tag{}
+	if err := fresh.Decode(t.src); err != nil {
+		return false
+	}
+	return t.Hash == fresh.Hash &&
+		t.Name == fresh.Name &&
+		signatureEqual(t.Tagger, fresh.Tagger) &&
+		t.Message == fresh.Message &&
+		t.TargetType == fresh.TargetType &&
+		t.Target == fresh.Target
+}
+
 func (t *Tag) encode(o plumbing.EncodedObject, includeSig bool) (err error) {
 	o.SetType(plumbing.TagObject)
 	w, err := o.Writer()
diff --git a/plumbing/object/tag_test.go b/plumbing/object/tag_test.go
