gitrepo: add support for Git tag verification

Add two new Git verification modes:
* `tag`: Verify tag object referred to by `.spec.ref.tag`
* `tagAndHead`: Verify tag object referred to by `.spec.ref.tag` and the
  commit the tag points to.

Change the `Reason` of the `SourceVerified` condition from `Succeeded`
to `VerifiedTag`/`VerifiedCommit`/`VerifiedTagAndCommit` as it reflects
the actual reason behind the condition's status being True.

This helps us to detect when we need to verify a new Git object even if
the object's `.spec.ref` did not change.

Signed-off-by: Sanskar Jaiswal <jaiswalsanskar078@gmail.com>

Author: aryan9600

api/v1/condition_types.go

@@ -104,4 +104,13 @@ const (
 
 	// CacheOperationFailedReason signals a failure in cache operation.
 	CacheOperationFailedReason string = "CacheOperationFailed"
+
+	// VerifiedCommitReason signals a success in verifying the commit.
+	VerifiedCommitReason string = "VerifiedCommit"
+
+	// VerifiedTagReason signals a success in verifying the tag.
+	VerifiedTagReason string = "VerifiedTag"
+
+	// VerifiedTagAndCommitReason signals a success in verifying the tag and commit.
+	VerifiedTagAndCommitReason string = "VerifiedTagAndCommit"
 )

api/v1/gitrepository_types.go

@@ -38,6 +38,21 @@ const (
 	IncludeUnavailableCondition string = "IncludeUnavailable"
 )
 
+// GitVerificationMode specifies the verification mode for a Git repository.
+type GitVerificationMode string
+
+const (
+	// ModeHead implies that the HEAD of the Git repository (after it has been
+	// checked out to the required commit) should be verified.
+	ModeHead GitVerificationMode = "head"
+	// ModeTag implies that the tag object specified in the checkout configuration
+	// should be verified.
+	ModeTag GitVerificationMode = "tag"
+	// ModeTagAndHead implies that both the tag object and the commit it points
+	// to should be verified.
+	ModeTagAndHead GitVerificationMode = "tagAndHead"
+)
+
 // GitRepositorySpec specifies the required configuration to produce an
 // Artifact for a Git repository.
 type GitRepositorySpec struct {
@@ -170,9 +185,11 @@ type GitRepositoryRef struct {
 // GitRepositoryVerification specifies the Git commit signature verification
 // strategy.
 type GitRepositoryVerification struct {
-	// Mode specifies what Git object should be verified, currently ('head').
-	// +kubebuilder:validation:Enum=head
-	Mode string `json:"mode"`
+	// Mode specifies which Git object(s) should be verified.
+	// +kubebuilder:validation:Enum=head;tag;tagAndHead
+	// +optional
+	// +kubebuilder:default:=head
+	Mode string `json:"mode,omitempty"`
 
 	// SecretRef specifies the Secret containing the public keys of trusted Git
 	// authors.
@@ -250,6 +267,16 @@ func (in *GitRepository) GetArtifact() *Artifact {
 	return in.Status.Artifact
 }
 
+func (v *GitRepositoryVerification) GetMode() GitVerificationMode {
+	if v.Mode == "tagAndHead" {
+		return ModeTagAndHead
+	}
+	if v.Mode == "tag" {
+		return ModeTag
+	}
+	return ModeHead
+}
+
 // +genclient
 // +genclient:Namespaced
 // +kubebuilder:storageversion

config/crd/bases/source.toolkit.fluxcd.io_gitrepositories.yaml

@@ -166,10 +166,12 @@ spec:
                   Git commit signature(s).
                 properties:
                   mode:
-                    description: Mode specifies what Git object should be verified,
-                      currently ('head').
+                    default: head
+                    description: Mode specifies which Git object(s) should be verified.
                     enum:
                     - head
+                    - tag
+                    - tagAndHead
                     type: string
                   secretRef:
                     description: SecretRef specifies the Secret containing the public
@@ -182,7 +184,6 @@ spec:
                     - name
                     type: object
                 required:
-                - mode
                 - secretRef
                 type: object
             required:

go.mod

@@ -14,6 +14,10 @@ replace github.com/opencontainers/go-digest => github.com/opencontainers/go-dige
 // Check again when oras.land/oras-go is updated, which is a dependency of Helm.
 replace github.com/docker/docker => github.com/docker/docker v23.0.6+incompatible
 
+replace github.com/fluxcd/pkg/git => github.com/fluxcd/pkg/git v0.12.4-0.20230731130338-0830185ed818
+
+replace github.com/fluxcd/pkg/git/gogit => github.com/fluxcd/pkg/git/gogit v0.12.2-0.20230731130338-0830185ed818
+
 require (
 	cloud.google.com/go/storage v1.31.0
 	github.com/AdaLogics/go-fuzz-headers v0.0.0-20230106234847-43070de90fa1

go.sum

@@ -391,10 +391,10 @@ github.com/fluxcd/pkg/apis/event v0.5.1 h1:UrEmKwTK/lt42gMZunl8BQBMzjf8PSqGbWDs/
 github.com/fluxcd/pkg/apis/event v0.5.1/go.mod h1:GzBAzS8bq7751wvNkaSnr3kuwFVuWTPL20D77UgSNJQ=
 github.com/fluxcd/pkg/apis/meta v1.1.1 h1:sLAKLbEu7rRzJ+Mytffu3NcpfdbOBTa6hcpOQzFWm+M=
 github.com/fluxcd/pkg/apis/meta v1.1.1/go.mod h1:soCfzjFWbm1mqybDcOywWKTCEYlH3skpoNGTboVk234=
-github.com/fluxcd/pkg/git v0.12.3 h1:1KmRYTdcBKDUutg6NIT4x0BCCMT72PjjXs3AnHjybHY=
-github.com/fluxcd/pkg/git v0.12.3/go.mod h1:ID2sry5OqYbgJxvANc7s6V/YwafnQd7e1AGoDvwztAU=
-github.com/fluxcd/pkg/git/gogit v0.12.1 h1:06jzHOTntYN5xCSQvyFXtLXdqoP8crLh7VYgtXS9+wo=
-github.com/fluxcd/pkg/git/gogit v0.12.1/go.mod h1:Z4Ysp8VifKTvWpjJMKncJsgb2iBqHuIeK80VGjlU41Y=
+github.com/fluxcd/pkg/git v0.12.4-0.20230731130338-0830185ed818 h1:5RiT/G6Lmbg5eRHh4cjTM9t2v/txc5Yx5rs7vDe3dVk=
+github.com/fluxcd/pkg/git v0.12.4-0.20230731130338-0830185ed818/go.mod h1:VBPwN/pjvkqWmGUzou53fAQDT2tRJAUJ45SC7TyW5TI=
+github.com/fluxcd/pkg/git/gogit v0.12.2-0.20230731130338-0830185ed818 h1:G01A3JDlqrh6JzK/5ydFtdIQE7Nkfaw8+WEshMwMLZQ=
+github.com/fluxcd/pkg/git/gogit v0.12.2-0.20230731130338-0830185ed818/go.mod h1:Z4Ysp8VifKTvWpjJMKncJsgb2iBqHuIeK80VGjlU41Y=
 github.com/fluxcd/pkg/gittestserver v0.8.4 h1:rA/QUZnfH77ZZG+5xfMqjgEHJdzeeE6Nn1o8cops/bU=
 github.com/fluxcd/pkg/gittestserver v0.8.4/go.mod h1:i3Vng3Stl5zOuGhN4+RuP2NWf5snJCeGUKA7pzAvcHU=
 github.com/fluxcd/pkg/helmtestserver v0.13.1 h1:SjEk9QaMWMjwnqTXGtfMeorC5H+KDvV2YK87Sr2dFng=

internal/controller/gitrepository_controller.go

@@ -552,8 +552,25 @@ func (r *GitRepositoryReconciler) reconcileSource(ctx context.Context, sp *patch
 	// If it's a partial commit obtained from an existing artifact, check if the
 	// reconciliation can be skipped if other configurations have not changed.
 	if !git.IsConcreteCommit(*commit) {
+		// If we need to verify a Git object that we previously haven't verified, then
+		// we need to do a full reconciliation.
+		var verificationRequired bool
+		sourceVerifiedCondition := conditions.Get(obj, sourcev1.SourceVerifiedCondition)
+		if obj.Spec.Verification != nil {
+			if sourceVerifiedCondition == nil {
+				verificationRequired = true
+			}
+			mode := obj.Spec.Verification.GetMode()
+			if sourceVerifiedCondition.Reason == sourcev1.VerifiedTagReason && (mode == sourcev1.ModeHead || mode == sourcev1.ModeTagAndHead) {
+				verificationRequired = true
+			}
+			if sourceVerifiedCondition.Reason == sourcev1.VerifiedCommitReason && (mode == sourcev1.ModeTag || mode == sourcev1.ModeTagAndHead) {
+				verificationRequired = true
+			}
+		}
+
 		// Check if the content config contributing to the artifact has changed.
-		if !gitContentConfigChanged(obj, includes) {
+		if !gitContentConfigChanged(obj, includes) && !verificationRequired {
 			ge := serror.NewGeneric(
 				fmt.Errorf("no changes since last reconcilation: observed revision '%s'",
 					commitReference(obj, commit)), sourcev1.GitOperationSucceedReason,
@@ -923,8 +940,8 @@ func (r *GitRepositoryReconciler) fetchIncludes(ctx context.Context, obj *source
 	return &artifacts, nil
 }
 
-// verifyCommitSignature verifies the signature of the given Git commit, if a
-// verification mode is specified on the object.
+// verifyCommitSignature verifies the signature of the given Git commit and/or its parent tag
+// depedning on the verification mode specified on the object.
 // If the signature can not be verified or the verification fails, it records
 // v1beta2.SourceVerifiedCondition=False and returns.
 // When successful, it records v1beta2.SourceVerifiedCondition=True.
@@ -957,22 +974,78 @@ func (r *GitRepositoryReconciler) verifyCommitSignature(ctx context.Context, obj
 	for _, v := range secret.Data {
 		keyRings = append(keyRings, string(v))
 	}
-	// Verify commit with GPG data from secret
-	entity, err := commit.Verify(keyRings...)
-	if err != nil {
-		e := serror.NewGeneric(
-			fmt.Errorf("signature verification of commit '%s' failed: %w", commit.Hash.String(), err),
-			"InvalidCommitSignature",
-		)
-		conditions.MarkFalse(obj, sourcev1.SourceVerifiedCondition, e.Reason, e.Err.Error())
-		// Return error in the hope the secret changes
-		return sreconcile.ResultEmpty, e
+
+	// these flags help us later figure out which objects we need to verify
+	var verifyHead bool
+	var verifyTag bool
+	switch obj.Spec.Verification.GetMode() {
+	case sourcev1.ModeHead:
+		verifyHead = true
+	case sourcev1.ModeTag:
+		verifyTag = true
+	case sourcev1.ModeTagAndHead:
+		verifyHead = true
+		verifyTag = true
 	}
 
-	conditions.MarkTrue(obj, sourcev1.SourceVerifiedCondition, meta.SucceededReason,
-		"verified signature of commit '%s' with key '%s'", commit.Hash.String(), entity)
-	r.eventLogf(ctx, obj, eventv1.EventTypeTrace, "VerifiedCommit",
-		"verified signature of commit '%s' with key '%s'", commit.Hash.String(), entity)
+	if verifyTag && obj.Spec.Reference.Tag == "" {
+		err := errors.New("cannot verify tag object's signature if a tag reference is not specified")
+		conditions.MarkStalled(obj, "InvalidVerificationMode", err.Error())
+		return sreconcile.ResultEmpty, err
+	}
+	conditions.Delete(obj, meta.StalledCondition)
+
+	var err error
+	var headEntity string
+	if verifyHead {
+		// Verify commit with GPG data from secret
+		headEntity, err = commit.Verify(keyRings...)
+		if err != nil {
+			e := serror.NewGeneric(
+				fmt.Errorf("signature verification of commit '%s' failed: %w", commit.Hash.String(), err),
+				"InvalidCommitSignature",
+			)
+			conditions.MarkFalse(obj, sourcev1.SourceVerifiedCondition, e.Reason, e.Err.Error())
+			// Return error in the hope the secret changes
+			return sreconcile.ResultEmpty, e
+		}
+	}
+
+	var tag *git.AnnotatedTag
+	var tagEntity string
+	if verifyTag {
+		// Verify tag with GPG data from secret
+		if tag = commit.ReferencingTag; tag != nil {
+			tagEntity, err = tag.Verify(keyRings...)
+			if err != nil {
+				e := serror.NewGeneric(
+					fmt.Errorf("signature verification of tag '%s' failed: %w", tag.String(), err),
+					"InvalidTagSignature",
+				)
+				conditions.MarkFalse(obj, sourcev1.SourceVerifiedCondition, e.Reason, e.Err.Error())
+				// Return error in the hope the secret changes
+				return sreconcile.ResultEmpty, e
+			}
+		}
+	}
+
+	var message string
+	var reason string
+	if verifyHead {
+		message = fmt.Sprintf("verified signature of commit '%s' with key '%s'", commit.Hash.String(), headEntity)
+		reason = sourcev1.VerifiedCommitReason
+	}
+	if verifyTag {
+		if message == "" {
+			message = fmt.Sprintf("verified signature of tag '%s' with key '%s'", tag.String(), tagEntity)
+			reason = sourcev1.VerifiedTagReason
+		} else {
+			message = message + fmt.Sprintf(" and signature of tag '%s' with key '%s'", tag.String(), tagEntity)
+			reason = sourcev1.VerifiedTagAndCommitReason
+		}
+	}
+	conditions.MarkTrue(obj, sourcev1.SourceVerifiedCondition, reason, message)
+	r.eventLogf(ctx, obj, eventv1.EventTypeTrace, reason, message)
 	return sreconcile.ResultSuccess, nil
 }