Incorrect Rekor ID for tags

[wlynch]

Description

I think we're computing the wrong rekor ID / SHA value for signed tags. How we're doing this today is we're precomputing the SHA value based on the incoming body and the signature we produce.

For commits the final commit object looks like:

$ git cat-file commit HEAD
tree b333504b8cf3d9c314fed2cc242c5c38e89534a5
parent 2dc0ab59d7f0a7a62423bd181d9e2ab3adb7b56d
author Billy Lynch <billy@chainguard.dev> 1656524971 -0400
committer Billy Lynch <billy@chainguard.dev> 1656524971 -0400
gpgsig -----BEGIN SIGNED MESSAGE-----
 MIIEBwYJKoZIhvcNAQcCoIID+DCCA/QCAQExDTALBglghkgBZQMEAgEwCwYJKoZI
 hvcNAQcBoIICqDCCAqQwggIqoAMCAQICFHtMvZZL50P5bLkgDxwMf2MN4jdAMAoG
 CCqGSM49BAMDMDcxFTATBgNVBAoTDHNpZ3N0b3JlLmRldjEeMBwGA1UEAxMVc2ln
 c3RvcmUtaW50ZXJtZWRpYXRlMB4XDTIyMDYyOTE3NDkzNFoXDTIyMDYyOTE3NTkz
 NFowADBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABNf9io+JonCZhwe/dSkSoJ/Y
 eRun8C7xhPVF3FhoPnPVWdywaAEIkniA2WSHXLHt5aQN/08bV65haMZA/Luhmhaj
 ggFJMIIBRTAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwMwHQYD
 VR0OBBYEFGzhjCzFUI0caspJJfD4bToYxfDhMB8GA1UdIwQYMBaAFN/T6c9WJBGW
 +ajY6ShVosYuGGQ/MCIGA1UdEQEB/wQYMBaBFGJpbGx5QGNoYWluZ3VhcmQuZGV2
 MCwGCisGAQQBg78wAQEEHmh0dHBzOi8vZ2l0aHViLmNvbS9sb2dpbi9vYXV0aDCB
 iwYKKwYBBAHWeQIEAgR9BHsAeQB3AAhgkvAoUv9oRdHRayeEnEVnGKwWPcM40m3m
 vCIGNm9yAAABgbCVKBkAAAQDAEgwRgIhAJHJalxdErw5icNqfgWtyrv75XGXxAZz
 F/J4b7B8ikQAAiEAj8g8ZiSIGmePmES19Y/yFeGj6Fz0NGE2Rk5uJdKyAGEwCgYI
 KoZIzj0EAwMDaAAwZQIxAKpQFL9D5s1YVEmNWBoEQ1oo6gBESGhd5L1Kcdq52Ltt
 KWXKKB7tpVRwC0lfof2ILgIwU1LTaKeKWb0vToMY9InoS2+hAVljbEh3oxKm/JoX
 hiRx2GiDe2OyLCs76/kbH6C/MYIBJTCCASECAQEwTzA3MRUwEwYDVQQKEwxzaWdz
 dG9yZS5kZXYxHjAcBgNVBAMTFXNpZ3N0b3JlLWludGVybWVkaWF0ZQIUe0y9lkvn
 Q/lsuSAPHAx/Yw3iN0AwCwYJYIZIAWUDBAIBoGkwGAYJKoZIhvcNAQkDMQsGCSqG
 SIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMjIwNjI5MTc0OTM0WjAvBgkqhkiG9w0B
 CQQxIgQgSbThfvXoc6INDxPzRtlUu0TTBjFLm4XmwuxXAzfsZmkwCgYIKoZIzj0E
 AwIERzBFAiBeNZewVOFI5aa7bPUXa05HDgz5yevQ9aPclDX6U+koTAIhAMbyysil
 7I/UWLzhwM+9iusn3JXy71akUTcrqi2MNPaO
 -----END SIGNED MESSAGE-----

foo

but for tags this looks like:

$ git cat-file tag signed-tag
object 040b9af339e69d18848b7bbe05cb27ee42bb0161
type commit
tag signed-tag
tagger Billy Lynch <billy@chainguard.dev> 1656525095 -0400

Signed tag
-----BEGIN SIGNED MESSAGE-----
MIIEBgYJKoZIhvcNAQcCoIID9zCCA/MCAQExDTALBglghkgBZQMEAgEwCwYJKoZI
hvcNAQcBoIICpzCCAqMwggIpoAMCAQICFAh/hJ2AXyPGPHk7DoV0cZtNAixmMAoG
CCqGSM49BAMDMDcxFTATBgNVBAoTDHNpZ3N0b3JlLmRldjEeMBwGA1UEAxMVc2ln
c3RvcmUtaW50ZXJtZWRpYXRlMB4XDTIyMDYyOTE3NTE0NVoXDTIyMDYyOTE4MDE0
NVowADBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABDZmQ6b/lJDC93Mkt+EJmt2Y
Wzn2cUU2Em2mclkuBOhlJxbI2tFkPST1XdFwmMNeNO8uRr0rOrfjHO0+Z1IDuhGj
ggFIMIIBRDAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwMwHQYD
VR0OBBYEFIzo21kImebDCCgam8WnCIczP7K4MB8GA1UdIwQYMBaAFN/T6c9WJBGW
+ajY6ShVosYuGGQ/MCIGA1UdEQEB/wQYMBaBFGJpbGx5QGNoYWluZ3VhcmQuZGV2
MCwGCisGAQQBg78wAQEEHmh0dHBzOi8vZ2l0aHViLmNvbS9sb2dpbi9vYXV0aDCB
igYKKwYBBAHWeQIEAgR8BHoAeAB2AAhgkvAoUv9oRdHRayeEnEVnGKwWPcM40m3m
vCIGNm9yAAABgbCXK9kAAAQDAEcwRQIgfeiJzAUTEw+xJIqLCca0qp6BEWtPDK2A
PP25vHhKiU0CIQDfksmqmKXODyppY5RUUupSjCov/zzEcWEXMwc3odSXyDAKBggq
hkjOPQQDAwNoADBlAjEAgOopk3t0XbtEv1CbcHKmvnxcckaPDREo5S7xgqNMAbdK
QOmNeX4w4gVjErYTsW7qAjACq5qa8QbtcnaEW9zUyENgr6HlwWn6KjmMy0Wfffkr
JOUkdvm1gxL5z5K5dLbtL7ExggElMIIBIQIBATBPMDcxFTATBgNVBAoTDHNpZ3N0
b3JlLmRldjEeMBwGA1UEAxMVc2lnc3RvcmUtaW50ZXJtZWRpYXRlAhQIf4SdgF8j
xjx5Ow6FdHGbTQIsZjALBglghkgBZQMEAgGgaTAYBgkqhkiG9w0BCQMxCwYJKoZI
hvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0yMjA2MjkxNzUxNDZaMC8GCSqGSIb3DQEJ
BDEiBCBOeu3oQKkxhDK7WZlQ8zD2CTntr5NorUHNzxqCJXJq4jAKBggqhkjOPQQD
AgRHMEUCIAUScSkHWXgx0rA6eltI4d8TJh0Ac3VIkpps15a78GybAiEA/ODg7zMU
Armh8hgYbHyo1nG3hRMeQqvWjn7/89rAGNc=
-----END SIGNED MESSAGE-----

Currently we're assuming commits - which means for tags we're unmarshalling incorrect data -

gitsign/internal/git/git.go

Lines 131 to 135 in 7fb3656

	func commitHash(data, sig []byte) (string, error) {
	// Precompute commit hash to store in tlog
	obj := &plumbing.MemoryObject{}
	_, _ = obj.Write(data)
	obj.SetType(plumbing.CommitObject)

I think this issue is low impact - we can still verify tags using git verify-tag because we can redo the same operation as was done for signing, and the Rekor IDs should be unique because they contain the cert. This doesn't have the same property as commits in that we can use the tag SHA to look up the Rekor entry.

Version

7fb3656