commit: Implement SHA256 support for CommitSignatures

Implement support for the SHA256 object format in the CommitSignatures
RPC.

Changelog: added

2 files changed, 50 insertions, 19 deletions

diff --git a/internal/gitaly/service/commit/commit_signatures.go b/internal/gitaly/service/commit/commit_signatures.go
index 5fa47f17b..4ac24dd90 100644
--- a/internal/gitaly/service/commit/commit_signatures.go
+++ b/internal/gitaly/service/commit/commit_signatures.go
@@ -9,7 +9,6 @@ import (
 
 	"gitlab.com/gitlab-org/gitaly/v16/internal/git"
 	"gitlab.com/gitlab-org/gitaly/v16/internal/git/catfile"
-	"gitlab.com/gitlab-org/gitaly/v16/internal/gitaly/storage"
 	"gitlab.com/gitlab-org/gitaly/v16/internal/signature"
 	"gitlab.com/gitlab-org/gitaly/v16/internal/structerr"
 	"gitlab.com/gitlab-org/gitaly/v16/proto/go/gitalypb"
@@ -17,17 +16,23 @@ import (
 )
 
 func (s *server) GetCommitSignatures(request *gitalypb.GetCommitSignaturesRequest, stream gitalypb.CommitService_GetCommitSignaturesServer) error {
-	if err := validateGetCommitSignaturesRequest(s.locator, request); err != nil {
-		return structerr.NewInvalidArgument("%w", err)
-	}
+	ctx := stream.Context()
 
-	return s.getCommitSignatures(request, stream)
-}
+	if err := s.locator.ValidateRepository(request.GetRepository()); err != nil {
+		return err
+	}
 
-func (s *server) getCommitSignatures(request *gitalypb.GetCommitSignaturesRequest, stream gitalypb.CommitService_GetCommitSignaturesServer) error {
-	ctx := stream.Context()
 	repo := s.localrepo(request.GetRepository())
 
+	objectHash, err := repo.ObjectHash(ctx)
+	if err != nil {
+		return fmt.Errorf("detecting object hash: %w", err)
+	}
+
+	if err := validateGetCommitSignaturesRequest(objectHash, request); err != nil {
+		return structerr.NewInvalidArgument("%w", err)
+	}
+
 	objectReader, cancel, err := s.catfileCache.ObjectReader(ctx, repo)
 	if err != nil {
 		return structerr.NewInternal("%w", err)
@@ -92,7 +97,7 @@ func extractSignature(reader io.Reader) ([]byte, []byte, error) {
 		}
 
 		if !sawSignature && !inSignature {
-			for _, signatureField := range [][]byte{[]byte("gpgsig ")} {
+			for _, signatureField := range [][]byte{[]byte("gpgsig "), []byte("gpgsig-sha256 ")} {
 				if !bytes.HasPrefix(line, signatureField) {
 					continue
 				}
@@ -154,18 +159,14 @@ func sendResponse(
 	return nil
 }
 
-func validateGetCommitSignaturesRequest(locator storage.Locator, request *gitalypb.GetCommitSignaturesRequest) error {
-	if err := locator.ValidateRepository(request.GetRepository()); err != nil {
-		return err
-	}
-
+func validateGetCommitSignaturesRequest(objectHash git.ObjectHash, request *gitalypb.GetCommitSignaturesRequest) error {
 	if len(request.GetCommitIds()) == 0 {
 		return errors.New("empty CommitIds")
 	}
 
 	// Do not support shorthand or invalid commit SHAs
 	for _, commitID := range request.CommitIds {
-		if err := git.ObjectHashSHA1.ValidateHex(commitID); err != nil {
+		if err := objectHash.ValidateHex(commitID); err != nil {
 			return err
 		}
 	}
diff --git a/internal/gitaly/service/commit/commit_signatures_test.go b/internal/gitaly/service/commit/commit_signatures_test.go
index 05305a010..b9d32f8a1 100644
--- a/internal/gitaly/service/commit/commit_signatures_test.go
+++ b/internal/gitaly/service/commit/commit_signatures_test.go
@@ -1,5 +1,3 @@
-//go:build !gitaly_test_sha256
-
 package commit
 
 import (
@@ -254,6 +252,29 @@ func testGetCommitSignatures(t *testing.T, ctx context.Context) {
 			},
 		},
 		{
+			desc: "SHA256-signed commit",
+			setup: func(t *testing.T) setupData {
+				commitID, commitData := createCommitWithSignature(t, cfg, repoPath, "gpgsig-sha256", sshSignature, "sha256-signed commit message")
+
+				return setupData{
+					request: &gitalypb.GetCommitSignaturesRequest{
+						Repository: repoProto,
+						CommitIds: []string{
+							commitID.String(),
+						},
+					},
+					expectedResponses: []*gitalypb.GetCommitSignaturesResponse{
+						{
+							CommitId:   commitID.String(),
+							Signature:  []byte(sshSignature),
+							SignedText: []byte(commitData),
+							Signer:     gitalypb.GetCommitSignaturesResponse_SIGNER_USER,
+						},
+					},
+				}
+			},
+		},
+		{
 			desc: "signed by Gitaly",
 			setup: func(t *testing.T) setupData {
 				repo := localrepo.NewTestRepo(t, cfg, repoProto)
@@ -294,13 +315,22 @@ func testGetCommitSignatures(t *testing.T, ctx context.Context) {
 						[]*gitalypb.GetCommitSignaturesResponse{
 							{
 								CommitId: commitID.String(),
-								Signature: []byte(`-----BEGIN SSH SIGNATURE-----
+								Signature: []byte(gittest.ObjectHashDependent(t, map[string]string{
+									"sha1": `-----BEGIN SSH SIGNATURE-----
 U1NIU0lHAAAAAQAAADMAAAALc3NoLWVkMjU1MTkAAAAgVzKQNpRPvHihfJQJ+Com
 F8BdFuG2wuXh+LjXjbOs8IgAAAADZ2l0AAAAAAAAAAZzaGE1MTIAAABTAAAAC3Nz
 aC1lZDI1NTE5AAAAQB6uCeUpvnFGR/cowe1pQyTZiTzKsi1tnez0EO8o2LtrJr+g
 k8fZo+m7jSM0TpefrL0iyHxevrbKslyXw1lJVAM=
 -----END SSH SIGNATURE-----
-`),
+`,
+									"sha256": `-----BEGIN SSH SIGNATURE-----
+U1NIU0lHAAAAAQAAADMAAAALc3NoLWVkMjU1MTkAAAAgVzKQNpRPvHihfJQJ+Com
+F8BdFuG2wuXh+LjXjbOs8IgAAAADZ2l0AAAAAAAAAAZzaGE1MTIAAABTAAAAC3Nz
+aC1lZDI1NTE5AAAAQKgC1TFLVZOqvVs2AqCp2lhkRAUtZsDa89RgHOOsYAC3T1kB
+4lOayj2uzBahoM0gc7REITUyg5MTzfIhcIPfhAQ=
+-----END SSH SIGNATURE-----
+`,
+								})),
 								SignedText: []byte(fmt.Sprintf(
 									"tree %s\nauthor %s\ncommitter %s\n\nmessage",
 									tree.OID,