Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Calculate correct SHA for signed Tags. #89

Merged
merged 1 commit into from
Jun 30, 2022
Merged

Calculate correct SHA for signed Tags. #89

merged 1 commit into from
Jun 30, 2022

Conversation

wlynch
Copy link
Member

@wlynch wlynch commented Jun 29, 2022
edited

Summary

Previously we were trying to marshal tags into commit objects, which
go-git was happily doing, but ignoring non-matching fields. This change
tries to detect whether we are signing a commit or tag and encode the
matching type.

Also updates README for more copy/paste instructions for signing tags.

BREAKING CHANGE: Since this is fixing how the tag SHA was meant to be
calculated, this breaks the rekor entry lookup for older versions that
use the incorrect behavior. Those tags will be considered unverified
unless they are resigned by a newer version of gitsign: git tag -f -s <tag name> <tag name>

Signed-off-by: Billy Lynch billy@chainguard.dev

Ticket Link

Fixes #88

Release Note

BREAKING CHANGE: Fixed Rekor Git SHA generation for tags. 
Since this is fixing how the tag SHA was meant to be
calculated, this breaks the rekor entry lookup for older versions that
use the incorrect behavior. Those tags will be considered unverified
unless they are resigned by a newer version of gitsign: `git tag -f -s <tag name> <tag name>`

@wlynch wlynch requested a review from imjasonh June 29, 2022 20:13
@wlynch
Calculate correct SHA for signed Tags.
d1fbf1f 
Previously we were trying to marshal tags into commit objects, which
go-git was happily doing, but ignoring non-matching fields. This change
tries to detect whether we are signing a commit or tag and encode the
matching type.

Also updates README for more copy/paste instructions for signing tags.

BREAKING CHANGE: Since this is fixing how the tag SHA was meant to be
calculated, this breaks the rekor entry lookup for older versions that
use the incorrect behavior. Those tags will be considered unverified
unless they are resigned by a newer version of gitsign: `git tag -f -s <tag name>`

Signed-off-by: Billy Lynch <billy@chainguard.dev>
@wlynch wlynch merged commit ca0cb8d into sigstore:main Jun 30, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@imjasonh imjasonh imjasonh approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Incorrect Rekor ID for tags
2 participants
@wlynch @imjasonh