moby
diff --git a/‎Dockerfile‎
Lines changed: 4 additions & 1 deletion b/‎Dockerfile‎
Lines changed: 4 additions & 1 deletion
diff --git a/‎client/client_test.go‎
Lines changed: 2 additions & 2 deletions b/‎client/client_test.go‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎go.mod‎
Lines changed: 3 additions & 0 deletions b/‎go.mod‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎go.sum‎
Lines changed: 6 additions & 0 deletions b/‎go.sum‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎hack/fixtures/gen_gpg_test_env.sh‎
Lines changed: 75 additions & 0 deletions b/‎hack/fixtures/gen_gpg_test_env.sh‎
Lines changed: 75 additions & 0 deletions
diff --git a/‎hack/fixtures/gen_ssh_test_env.sh‎
Lines changed: 97 additions & 0 deletions b/‎hack/fixtures/gen_ssh_test_env.sh‎
Lines changed: 97 additions & 0 deletions
diff --git a/‎source/git/identifier.go‎
Lines changed: 9 additions & 0 deletions b/‎source/git/identifier.go‎
Lines changed: 9 additions & 0 deletions
@@ -414,7 +414,7 @@ COPY --link --from=binaries / /
 
 FROM buildkit-base AS integration-tests-base
 ENV BUILDKIT_INTEGRATION_ROOTLESS_IDPAIR="1000:1000"
-RUN apk add --no-cache shadow shadow-uidmap sudo vim iptables ip6tables dnsmasq fuse curl git-daemon openssh-client openssl slirp4netns iproute2 \
+RUN apk add --no-cache shadow shadow-uidmap sudo vim iptables ip6tables dnsmasq fuse curl git-daemon openssh-client openssl slirp4netns iproute2 gpg gpg-agent \
   && useradd --create-home --home-dir /home/user --uid 1000 -s /bin/sh user \
   && echo "XDG_RUNTIME_DIR=/run/user/1000; export XDG_RUNTIME_DIR" >> /home/user/.profile \
   && mkdir -m 0700 -p /run/user/1000 \
@@ -435,6 +435,9 @@ ENTRYPOINT ["/docker-entrypoint.sh"]
 ENV BUILDKIT_INTEGRATION_CONTAINERD_EXTRA="containerd-2.0=/opt/containerd-alt-20/bin,containerd-1.7=/opt/containerd-alt-17/bin"
 ENV BUILDKIT_INTEGRATION_SNAPSHOTTER=stargz
 ENV BUILDKIT_SETUP_CGROUPV2_ROOT=1
+ENV BUILDKIT_TEST_SIGN_FIXTURES=/tmp/buildkit_test_sign_fixtures
+RUN --mount=target=/tmp/gen_gpg_test_env.sh,source=hack/fixtures/gen_gpg_test_env.sh sh /tmp/gen_gpg_test_env.sh user1 && sh /tmp/gen_gpg_test_env.sh user2
+RUN --mount=target=/tmp/gen_ssh_test_env.sh,source=hack/fixtures/gen_ssh_test_env.sh sh /tmp/gen_ssh_test_env.sh user1 && sh /tmp/gen_ssh_test_env.sh user2
 ENV CGO_ENABLED=0
 ENV GOTESTSUM_FORMAT=standard-verbose
 COPY --link --from=gotestsum /out /usr/bin/
 
@@ -12164,7 +12164,7 @@ func testGitResolveSourceMetadata(t *testing.T, sb integration.Sandbox) {
 
 		commit, err := commitObj.ToCommit()
 		require.NoError(t, err)
-		require.Equal(t, "msg\n", commit.Message)
+		require.Equal(t, "msg", commit.Message)
 		require.Equal(t, "test", commit.Author.Name)
 		require.Equal(t, "test@example.com", commit.Author.Email)
 		require.Equal(t, "test", commit.Committer.Name)
@@ -12179,7 +12179,7 @@ func testGitResolveSourceMetadata(t *testing.T, sb integration.Sandbox) {
 
 		tag, err := tagObj.ToTag()
 		require.NoError(t, err)
-		require.Equal(t, "v0.1release\n", tag.Message)
+		require.Equal(t, "v0.1release", tag.Message)
 		require.Equal(t, "v0.1", tag.Tag)
 		require.Equal(t, "test", tag.Tagger.Name)
 		require.Equal(t, "test@example.com", tag.Tagger.Email)
 
@@ -8,6 +8,7 @@ require (
 	github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.5.0
 	github.com/Microsoft/go-winio v0.6.2
 	github.com/Microsoft/hcsshim v0.13.0
+	github.com/ProtonMail/go-crypto v1.3.0
 	github.com/agext/levenshtein v1.2.3
 	github.com/armon/circbuf v0.0.0-20190214190532-5111143e8da2
 	github.com/aws/aws-sdk-go-v2 v1.30.3
@@ -43,6 +44,7 @@ require (
 	github.com/hashicorp/go-cleanhttp v0.5.2
 	github.com/hashicorp/go-immutable-radix/v2 v2.1.0
 	github.com/hashicorp/golang-lru/v2 v2.0.7
+	github.com/hiddeco/sshsig v0.2.0
 	github.com/in-toto/in-toto-golang v0.9.0
 	github.com/klauspost/compress v1.18.0
 	github.com/mitchellh/hashstructure/v2 v2.0.2
@@ -131,6 +133,7 @@ require (
 	github.com/aws/smithy-go v1.20.3 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/cenkalti/backoff/v4 v4.3.0 // indirect
+	github.com/cloudflare/circl v1.6.0 // indirect
 	github.com/containerd/cgroups/v3 v3.0.5 // indirect
 	github.com/containerd/errdefs/pkg v0.3.0 // indirect
 	github.com/containerd/fifo v1.1.0 // indirect
 
@@ -23,6 +23,8 @@ github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERo
 github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU=
 github.com/Microsoft/hcsshim v0.13.0 h1:/BcXOiS6Qi7N9XqUcv27vkIuVOkBEcWstd2pMlWSeaA=
 github.com/Microsoft/hcsshim v0.13.0/go.mod h1:9KWJ/8DgU+QzYGupX4tzMhRQE8h6w90lH6HAaclpEok=
+github.com/ProtonMail/go-crypto v1.3.0 h1:ILq8+Sf5If5DCpHQp4PbZdS1J7HDFRXz/+xKBiRGFrw=
+github.com/ProtonMail/go-crypto v1.3.0/go.mod h1:9whxjD8Rbs29b4XWbB8irEcE8KHMqaR2e7GWU1R+/PE=
 github.com/agext/levenshtein v1.2.3 h1:YB2fHEn0UJagG8T1rrWknE3ZQzWM06O8AMAatNn7lmo=
 github.com/agext/levenshtein v1.2.3/go.mod h1:JEDfjyjHDjOF/1e4FlBE/PkbqA9OfWu2ki2W0IB5558=
 github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
@@ -84,6 +86,8 @@ github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWR
 github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI=
 github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
 github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
+github.com/cloudflare/circl v1.6.0 h1:cr5JKic4HI+LkINy2lg3W2jF8sHCVTBncJr5gIIq7qk=
+github.com/cloudflare/circl v1.6.0/go.mod h1:uddAzsPgqdMAYatqJ0lsjX1oECcQLIlRpzZh3pJrofs=
 github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
 github.com/codahale/rfc6979 v0.0.0-20141003034818-6a90f24967eb h1:EDmT6Q9Zs+SbUoc7Ik9EfrFqcylYqgPZ9ANSbTAntnE=
 github.com/codahale/rfc6979 v0.0.0-20141003034818-6a90f24967eb/go.mod h1:ZjrT6AXHbDs86ZSdt/osfBi5qfexBrKUdONk989Wnk4=
@@ -240,6 +244,8 @@ github.com/hashicorp/go-uuid v1.0.3 h1:2gKiV6YVmrJ1i2CKKa9obLvRieoRGviZFL26PcT/C
 github.com/hashicorp/go-uuid v1.0.3/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
 github.com/hashicorp/golang-lru/v2 v2.0.7 h1:a+bsQ5rvGLjzHuww6tVxozPZFVghXaHOwFs4luLUK2k=
 github.com/hashicorp/golang-lru/v2 v2.0.7/go.mod h1:QeFd9opnmA6QUJc5vARoKUSoFhyfM2/ZepoAG6RGpeM=
+github.com/hiddeco/sshsig v0.2.0 h1:gMWllgKCITXdydVkDL+Zro0PU96QI55LwUwebSwNTSw=
+github.com/hiddeco/sshsig v0.2.0/go.mod h1:nJc98aGgiH6Yql2doqH4CTBVHexQA40Q+hMMLHP4EqE=
 github.com/ianlancetaylor/demangle v0.0.0-20210905161508-09a460cdf81d/go.mod h1:aYm2/VgdVmcIU8iMfdMvDMsRAQjcfZSKFby6HOFvi/w=
 github.com/in-toto/in-toto-golang v0.9.0 h1:tHny7ac4KgtsfrG6ybU8gVOZux2H8jN05AXJ9EBM1XU=
 github.com/in-toto/in-toto-golang v0.9.0/go.mod h1:xsBVrVsHNsB61++S6Dy2vWosKhuA3lUTQd+eF9HdeMo=
 
@@ -0,0 +1,75 @@
+#!/usr/bin/env sh
+
+set -e
+
+# require BUILDKIT_TEST_SIGN_FIXTURES to be set
+if [ -z "$BUILDKIT_TEST_SIGN_FIXTURES" ]; then
+  echo "BUILDKIT_TEST_SIGN_FIXTURES is not set"
+  exit 1
+fi
+
+# require username parameter
+if [ -z "$1" ]; then
+  echo "Usage: $0 <username>"
+  echo "Example: $0 user1"
+  exit 1
+fi
+
+USERNAME="$1"
+
+set -x
+
+# make GNUPGHOME global (not per-user), point into sign fixtures
+export GNUPGHOME="$BUILDKIT_TEST_SIGN_FIXTURES/gnupg"
+
+mkdir -p "$GNUPGHOME"
+
+cd "$BUILDKIT_TEST_SIGN_FIXTURES"
+
+cat >"${USERNAME}.gpg.conf" <<'EOF'
+%no-protection
+Key-Type: RSA
+Key-Length: 2048
+Key-Usage: cert
+Name-Real: __NAME_REAL__
+Name-Email: __NAME_EMAIL__
+Expire-Date: 0
+%commit
+EOF
+# replace placeholders in the generated conf
+sed -i'' "s|__NAME_REAL__|${USERNAME} Test User|g" "${USERNAME}.gpg.conf"
+sed -i'' "s|__NAME_EMAIL__|${USERNAME}@example.com|g" "${USERNAME}.gpg.conf"
+
+gpg --batch --no-tty --generate-key --pinentry-mode loopback "${USERNAME}.gpg.conf"
+
+FP="$(gpg --list-keys --with-colons "${USERNAME}@example.com" | awk -F: '/^fpr:/ {print $10; exit}')"
+
+gpg --no-tty --pinentry-mode loopback --passphrase test --quick-add-key "$FP" rsa2048 sign 1y
+
+gpg --list-secret-keys --with-subkey-fingerprint
+
+# create a single global git-gpg wrapper that uses the shared GNUPGHOME
+cat >"${BUILDKIT_TEST_SIGN_FIXTURES}/git_gpg_sign.sh" <<'EOF'
+#!/bin/sh
+if [ -z "$BUILDKIT_TEST_SIGN_FIXTURES" ]; then
+  echo "BUILDKIT_TEST_SIGN_FIXTURES is not set" >&2
+  exit 1
+fi
+export GNUPGHOME="$BUILDKIT_TEST_SIGN_FIXTURES/gnupg"
+exec gpg --batch --pinentry-mode loopback --passphrase test "$@"
+EOF
+chmod +x "${BUILDKIT_TEST_SIGN_FIXTURES}/git_gpg_sign.sh"
+
+# create a user-specific gitconfig that points to the single wrapper and key
+cat >"${BUILDKIT_TEST_SIGN_FIXTURES}/${USERNAME}.gpg.gitconfig" <<EOF
+[gpg]
+    program = ${BUILDKIT_TEST_SIGN_FIXTURES}/git_gpg_sign.sh
+[user]
+    signingkey = $FP
+    email = ${USERNAME}@example.com
+    name = Test Git ${USERNAME}
+[commit]
+    gpgsign = true
+EOF
+
+gpg --armor --export "$FP" >"${USERNAME}.gpg.pub"
@@ -0,0 +1,97 @@
+#!/usr/bin/env sh
+
+set -e
+
+# require BUILDKIT_TEST_SIGN_FIXTURES to be set
+if [ -z "$BUILDKIT_TEST_SIGN_FIXTURES" ]; then
+  echo "BUILDKIT_TEST_SIGN_FIXTURES is not set"
+  exit 1
+fi
+
+# require username parameter
+if [ -z "$1" ]; then
+  echo "Usage: $0 <username>"
+  echo "Example: $0 user1"
+  exit 1
+fi
+
+USERNAME="$1"
+
+set -x
+
+FIXTURES="$BUILDKIT_TEST_SIGN_FIXTURES"
+mkdir -p "$FIXTURES"
+cd "$FIXTURES"
+
+mkdir -p .ssh
+chmod 700 .ssh
+KEY_BASE=".ssh/${USERNAME}.id_ed25519"
+if [ ! -f "$KEY_BASE" ]; then
+  ssh-keygen -t ed25519 -C "${USERNAME}@example.com" -f "$KEY_BASE" -N "" -q
+fi
+
+# read user's public key
+PUBKEY_LINE="$(cat "${KEY_BASE}.pub")"
+if [ -z "$PUBKEY_LINE" ]; then
+  echo "failed to read public key" >&2
+  exit 1
+fi
+
+# create per-user ssh signing wrapper in fixtures root; hardcode username in key path
+cat >"${FIXTURES}/${USERNAME}.git_ssh_sign.sh" <<'EOF'
+#!/bin/sh
+set -eu
+unset SSH_AUTH_SOCK || true
+base="$(cd "$(dirname "$0")" && pwd)"
+
+# Parse args from Git
+buf=""
+out=""
+args=""
+while [ $# -gt 0 ]; do
+    case "$1" in
+        -U)
+            shift
+            buf="$1"
+            out="${buf}.sig"
+            ;;
+        /tmp/.git_signing_key_tmp*)
+            args="$args -f $base/.ssh/__USER__.id_ed25519"
+            ;;
+        *)
+            args="$args $1"
+            ;;
+    esac
+    shift
+done
+
+# Fallback sanity check
+[ -n "$buf" ] || { echo "missing -U buffer" >&2; exit 1; }
+
+# Sign manually without -U
+ssh-keygen -Y sign -f "$base/.ssh/__USER__.id_ed25519" -n git "$buf" >/dev/null
+
+# ssh-keygen wrote "$buf.sig"; rename to what Git expects
+mv "$buf.sig" "$out"
+EOF
+
+# inject username into wrapper
+sed -i "s/__USER__/${USERNAME}/g" "${FIXTURES}/${USERNAME}.git_ssh_sign.sh"
+chmod +x "${FIXTURES}/${USERNAME}.git_ssh_sign.sh"
+
+# per-user gitconfig pointing to per-user wrapper; no username prefix in signingkey
+cat >"${FIXTURES}/${USERNAME}.ssh.gitconfig" <<EOF
+[gpg]
+	format = ssh
+[user]
+	signingkey = ${PUBKEY_LINE}
+	name = Test Git ${USERNAME}
+	email = ${USERNAME}@example.com
+[commit]
+	gpgsign = true
+[gpg "ssh"]
+	program = ${FIXTURES}/${USERNAME}.git_ssh_sign.sh
+EOF
+
+# export user-labeled public key
+cp "${KEY_BASE}.pub" "${USERNAME}.ssh.pub"
@@ -21,6 +21,15 @@ type GitIdentifier struct {
 	MountSSHSock     string
 	KnownSSHHosts    string
 	SkipSubmodules   bool
+
+	VerifySignature *GitSignatureVerifyOptions
+}
+
+type GitSignatureVerifyOptions struct {
+	PubKey            []byte
+	RejectExpiredKeys bool
+	RequireSignedTag  bool // signed tag must be present
+	IgnoreSignedTag   bool // even if signed tag is present, verify signature on commit object
 }
 
 func NewGitIdentifier(remoteURL string) (*GitIdentifier, error) {