Calculate correct SHA for signed Tags. #89
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Previously we were trying to marshal tags into commit objects, which go-git was happily doing, but ignoring non-matching fields. This change tries to detect whether we are signing a commit or tag and encode the matching type. Also updates README for more copy/paste instructions for signing tags. BREAKING CHANGE: Since this is fixing how the tag SHA was meant to be calculated, this breaks the rekor entry lookup for older versions that use the incorrect behavior. Those tags will be considered unverified unless they are resigned by a newer version of gitsign: `git tag -f -s <tag name>` Signed-off-by: Billy Lynch <billy@chainguard.dev>
imjasonh
approved these changes
Jun 30, 2022
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Summary
Previously we were trying to marshal tags into commit objects, which
go-git was happily doing, but ignoring non-matching fields. This change
tries to detect whether we are signing a commit or tag and encode the
matching type.
Also updates README for more copy/paste instructions for signing tags.
BREAKING CHANGE: Since this is fixing how the tag SHA was meant to be
calculated, this breaks the rekor entry lookup for older versions that
use the incorrect behavior. Those tags will be considered unverified
unless they are resigned by a newer version of gitsign:
git tag -f -s <tag name> <tag name>Signed-off-by: Billy Lynch billy@chainguard.dev
Ticket Link
Fixes #88
Release Note