Add tests for the tag attestations

Adds tests for the new tag attestation.

Signed-off-by: Adolfo García Veytia (Puerco) <puerco@carabiner.dev>

Author: puerco

pkg/attest/statement_test.go

@@ -29,7 +29,9 @@ import (
 	"google.golang.org/protobuf/testing/protocmp"
 )
 
-func TestCommitStatement(t *testing.T) {
+// newTestRepo creates an in-memory repo with the given remote configuration.
+func newTestRepo(t *testing.T, remoteURL string) (*git.Repository, *memory.Storage) {
+	t.Helper()
 	storage := memory.NewStorage()
 	repo := &git.Repository{
 		Storer: storage,
@@ -38,12 +40,36 @@ func TestCommitStatement(t *testing.T) {
 		Remotes: map[string]*config.RemoteConfig{
 			"origin": {
 				Name: "origin",
-				URLs: []string{"git@github.com:wlynch/gitsign.git"},
+				URLs: []string{remoteURL},
 			},
 		},
 	}); err != nil {
 		t.Fatalf("error setting git config: %v", err)
 	}
+	return repo, storage
+}
+
+// storeObject writes raw object bytes into the storage and returns the hash.
+func storeObject(t *testing.T, storage *memory.Storage, objType plumbing.ObjectType, raw []byte) plumbing.Hash {
+	t.Helper()
+	obj := storage.NewEncodedObject()
+	obj.SetType(objType)
+	w, err := obj.Writer()
+	if err != nil {
+		t.Fatalf("error getting git object writer: %v", err)
+	}
+	if _, err = w.Write(raw); err != nil {
+		t.Fatalf("error writing git object: %v", err)
+	}
+	h, err := storage.SetEncodedObject(obj)
+	if err != nil {
+		t.Fatalf("error storing git object: %v", err)
+	}
+	return h
+}
+
+func TestCommitStatement(t *testing.T) {
+	repo, storage := newTestRepo(t, "git@github.com:wlynch/gitsign.git")
 
 	// Expect files in testdata directory:
 	//  foo.in.txt -> foo.out.json
@@ -58,24 +84,53 @@ func TestCommitStatement(t *testing.T) {
 			if err != nil {
 				t.Fatalf("error reading input: %v", err)
 			}
-			obj := storage.NewEncodedObject()
-			obj.SetType(plumbing.CommitObject)
-			w, err := obj.Writer()
+			h := storeObject(t, storage, plumbing.CommitObject, raw)
+
+			got, err := CommitStatement(repo, "origin", h.String())
 			if err != nil {
-				t.Fatalf("error getting git object writer: %v", err)
+				t.Fatalf("statement(): %v", err)
 			}
-			_, err = w.Write(raw)
+
+			wantRaw, err := os.ReadFile(fmt.Sprintf("testdata/%s.out.json", tc))
 			if err != nil {
-				t.Fatalf("error writing git commit: %v", err)
+				t.Fatalf("error reading want json: %v", err)
+			}
+
+			want := &intoto.Statement{}
+			if err := protojson.Unmarshal(wantRaw, want); err != nil {
+				t.Fatalf("error decoding want json: %v", err)
+			}
+
+			if diff := cmp.Diff(want, got, protocmp.Transform()); diff != "" {
+				t.Error(diff)
 			}
-			h, err := storage.SetEncodedObject(obj)
+		})
+	}
+}
+
+func TestTagStatement(t *testing.T) {
+	repo, storage := newTestRepo(t, "git@github.com:wlynch/gitsign.git")
+
+	// IMPORTANT: When generating new test files, use `git cat-file tag <tagname> > foo.in.txt`.
+	for _, tc := range []string{
+		"fulcio-tag",
+	} {
+		t.Run(tc, func(t *testing.T) {
+			raw, err := os.ReadFile(fmt.Sprintf("testdata/%s.in.txt", tc))
 			if err != nil {
-				t.Fatalf("error storing git commit: %v", err)
+				t.Fatalf("error reading input: %v", err)
 			}
+			h := storeObject(t, storage, plumbing.TagObject, raw)
 
-			got, err := CommitStatement(repo, "origin", h.String())
+			// Create a tag reference pointing to the stored tag object.
+			tagRef := plumbing.NewHashReference(plumbing.NewTagReferenceName(tc), h)
+			if err := storage.SetReference(tagRef); err != nil {
+				t.Fatalf("error setting tag reference: %v", err)
+			}
+
+			got, err := TagStatement(repo, "origin", tc)
 			if err != nil {
-				t.Fatalf("statement(): %v", err)
+				t.Fatalf("TagStatement(): %v", err)
 			}
 
 			wantRaw, err := os.ReadFile(fmt.Sprintf("testdata/%s.out.json", tc))
@@ -94,3 +149,26 @@ func TestCommitStatement(t *testing.T) {
 		})
 	}
 }
+
+func TestTagStatementLightweight(t *testing.T) {
+	repo, storage := newTestRepo(t, "git@github.com:wlynch/gitsign.git")
+
+	// Store a commit object so the lightweight tag has something to point to.
+	raw, err := os.ReadFile("testdata/fulcio-cert.in.txt")
+	if err != nil {
+		t.Fatalf("error reading input: %v", err)
+	}
+	commitHash := storeObject(t, storage, plumbing.CommitObject, raw)
+
+	// Create a lightweight tag (ref pointing directly at the commit).
+	tagRef := plumbing.NewHashReference(plumbing.NewTagReferenceName("lightweight"), commitHash)
+	if err := storage.SetReference(tagRef); err != nil {
+		t.Fatalf("error setting tag reference: %v", err)
+	}
+
+	// Lightweight tags are not annotated, so TagStatement should return an error.
+	_, err = TagStatement(repo, "origin", "lightweight")
+	if err == nil {
+		t.Fatal("expected error for lightweight tag, got nil")
+	}
+}

pkg/attest/testdata/fulcio-tag.in.txt

@@ -0,0 +1,31 @@
+object dd51a25b4f9fa103ca6f5cdca4183fa15cb3e627
+type commit
+tag v0.14.0
+tagger Billy Lynch <billy@chainguard.dev> 1769622626 -0500
+
+v0.14.0
+-----BEGIN SIGNED MESSAGE-----
+MIIELwYJKoZIhvcNAQcCoIIEIDCCBBwCAQExDTALBglghkgBZQMEAgEwCwYJKoZI
+hvcNAQcBoIIC0TCCAs0wggJToAMCAQICFHX4oNpDnR17SVpco2KLU+Lk4cGZMAoG
+CCqGSM49BAMDMDcxFTATBgNVBAoTDHNpZ3N0b3JlLmRldjEeMBwGA1UEAxMVc2ln
+c3RvcmUtaW50ZXJtZWRpYXRlMB4XDTI2MDEyODE3NTAyN1oXDTI2MDEyODE4MDAy
+N1owADBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABDEEyshqZPYaNaswQ7HfxREu
+3CKrEAAvf7bwQgWu93i4uN44VzJsW6dxV+7LBmUYP1wqyW03EthlUerMenbRtOOj
+ggFyMIIBbjAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwMwHQYD
+VR0OBBYEFIX1lG52urQX/ffvXImAVZvAjznAMB8GA1UdIwQYMBaAFN/T6c9WJBGW
++ajY6ShVosYuGGQ/MCIGA1UdEQEB/wQYMBaBFGJpbGx5QGNoYWluZ3VhcmQuZGV2
+MCkGCisGAQQBg78wAQEEG2h0dHBzOi8vYWNjb3VudHMuZ29vZ2xlLmNvbTArBgor
+BgEEAYO/MAEIBB0MG2h0dHBzOi8vYWNjb3VudHMuZ29vZ2xlLmNvbTCBigYKKwYB
+BAHWeQIEAgR8BHoAeAB2AN09MGrGxxEyYxkeHJlnNwKiSl643jyt/4eKcoAvKe6O
+AAABnAW6ZYYAAAQDAEcwRQIhAKyeO8OIbBRLAq0PBuJpDlL9m8bbUO97Scd5PFQ6
+bi1ZAiBNHC+SXcQ9tLzlPzNvKRniiKZ1UJuzX+LMt9eUYTd/1DAKBggqhkjOPQQD
+AwNoADBlAjEAquQWpoWTaWwNYU8aXRUxJTzoUsxM7Tdjgzz7mEcDsz5KD55nsFnJ
+xos0TZXioYoPAjBsmOdaJIh0zIzOj/N6B4VQr+txDqEovFwzcnDFmz2A8Y8CVUR1
+ZOb6gAGmo7RDzYAxggEkMIIBIAIBATBPMDcxFTATBgNVBAoTDHNpZ3N0b3JlLmRl
+djEeMBwGA1UEAxMVc2lnc3RvcmUtaW50ZXJtZWRpYXRlAhR1+KDaQ50de0laXKNi
+i1Pi5OHBmTALBglghkgBZQMEAgGgaTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcB
+MBwGCSqGSIb3DQEJBTEPFw0yNjAxMjgxNzUwMjdaMC8GCSqGSIb3DQEJBDEiBCC5
+j6i3ZTOxHPKTcA0Ub1oUtIxfJJ7xfbneBgnUJwakqTAKBggqhkjOPQQDAgRGMEQC
+IB8DIWqlTucRQEeSNpuEqUeVXhn4/DlYshDfwn5upV09AiB4gZOaUDX70vYSBup4
+luA5kuL+Nx6AafURfB2WxO8Krw==
+-----END SIGNED MESSAGE-----

pkg/attest/testdata/fulcio-tag.out.json

@@ -0,0 +1,33 @@
+{
+  "type": "https://in-toto.io/Statement/v1",
+  "predicateType": "https://gitsign.sigstore.dev/predicate/tag/v0.1",
+  "subject": [
+    {
+      "name": "git@github.com:wlynch/gitsign.git",
+      "digest": {
+        "sha1": "59b806d0c7932446ca9375b36ea3d421cc673224",
+        "gitTag": "59b806d0c7932446ca9375b36ea3d421cc673224"
+      }
+    }
+  ],
+  "predicate": {
+    "source": {
+      "object": "dd51a25b4f9fa103ca6f5cdca4183fa15cb3e627",
+      "object_type": "commit",
+      "tag": "v0.14.0",
+      "tagger": {
+        "name": "Billy Lynch",
+        "email": "billy@chainguard.dev",
+        "date": "2026-01-28T17:50:26Z"
+      },
+      "message": "v0.14.0\n"
+    },
+    "signature": "-----BEGIN SIGNED MESSAGE-----\nMIIELwYJKoZIhvcNAQcCoIIEIDCCBBwCAQExDTALBglghkgBZQMEAgEwCwYJKoZI\nhvcNAQcBoIIC0TCCAs0wggJToAMCAQICFHX4oNpDnR17SVpco2KLU+Lk4cGZMAoG\nCCqGSM49BAMDMDcxFTATBgNVBAoTDHNpZ3N0b3JlLmRldjEeMBwGA1UEAxMVc2ln\nc3RvcmUtaW50ZXJtZWRpYXRlMB4XDTI2MDEyODE3NTAyN1oXDTI2MDEyODE4MDAy\nN1owADBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABDEEyshqZPYaNaswQ7HfxREu\n3CKrEAAvf7bwQgWu93i4uN44VzJsW6dxV+7LBmUYP1wqyW03EthlUerMenbRtOOj\nggFyMIIBbjAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwMwHQYD\nVR0OBBYEFIX1lG52urQX/ffvXImAVZvAjznAMB8GA1UdIwQYMBaAFN/T6c9WJBGW\n+ajY6ShVosYuGGQ/MCIGA1UdEQEB/wQYMBaBFGJpbGx5QGNoYWluZ3VhcmQuZGV2\nMCkGCisGAQQBg78wAQEEG2h0dHBzOi8vYWNjb3VudHMuZ29vZ2xlLmNvbTArBgor\nBgEEAYO/MAEIBB0MG2h0dHBzOi8vYWNjb3VudHMuZ29vZ2xlLmNvbTCBigYKKwYB\nBAHWeQIEAgR8BHoAeAB2AN09MGrGxxEyYxkeHJlnNwKiSl643jyt/4eKcoAvKe6O\nAAABnAW6ZYYAAAQDAEcwRQIhAKyeO8OIbBRLAq0PBuJpDlL9m8bbUO97Scd5PFQ6\nbi1ZAiBNHC+SXcQ9tLzlPzNvKRniiKZ1UJuzX+LMt9eUYTd/1DAKBggqhkjOPQQD\nAwNoADBlAjEAquQWpoWTaWwNYU8aXRUxJTzoUsxM7Tdjgzz7mEcDsz5KD55nsFnJ\nxos0TZXioYoPAjBsmOdaJIh0zIzOj/N6B4VQr+txDqEovFwzcnDFmz2A8Y8CVUR1\nZOb6gAGmo7RDzYAxggEkMIIBIAIBATBPMDcxFTATBgNVBAoTDHNpZ3N0b3JlLmRl\ndjEeMBwGA1UEAxMVc2lnc3RvcmUtaW50ZXJtZWRpYXRlAhR1+KDaQ50de0laXKNi\ni1Pi5OHBmTALBglghkgBZQMEAgGgaTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcB\nMBwGCSqGSIb3DQEJBTEPFw0yNjAxMjgxNzUwMjdaMC8GCSqGSIb3DQEJBDEiBCC5\nj6i3ZTOxHPKTcA0Ub1oUtIxfJJ7xfbneBgnUJwakqTAKBggqhkjOPQQDAgRGMEQC\nIB8DIWqlTucRQEeSNpuEqUeVXhn4/DlYshDfwn5upV09AiB4gZOaUDX70vYSBup4\nluA5kuL+Nx6AafURfB2WxO8Krw==\n-----END SIGNED MESSAGE-----\n",
+    "signer_info": [
+      {
+        "attributes": "MWkwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMjYwMTI4MTc1MDI3WjAvBgkqhkiG9w0BCQQxIgQguY+ot2UzsRzyk3ANFG9aFLSMXySe8X253gYJ1CcGpKk=",
+        "certificate": "-----BEGIN CERTIFICATE-----\nMIICzTCCAlOgAwIBAgIUdfig2kOdHXtJWlyjYotT4uThwZkwCgYIKoZIzj0EAwMw\nNzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRl\ncm1lZGlhdGUwHhcNMjYwMTI4MTc1MDI3WhcNMjYwMTI4MTgwMDI3WjAAMFkwEwYH\nKoZIzj0CAQYIKoZIzj0DAQcDQgAEMQTKyGpk9ho1qzBDsd/FES7cIqsQAC9/tvBC\nBa73eLi43jhXMmxbp3FX7ssGZRg/XCrJbTcS2GVR6sx6dtG046OCAXIwggFuMA4G\nA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUhfWU\nbna6tBf99+9ciYBVm8CPOcAwHwYDVR0jBBgwFoAU39Ppz1YkEZb5qNjpKFWixi4Y\nZD8wIgYDVR0RAQH/BBgwFoEUYmlsbHlAY2hhaW5ndWFyZC5kZXYwKQYKKwYBBAGD\nvzABAQQbaHR0cHM6Ly9hY2NvdW50cy5nb29nbGUuY29tMCsGCisGAQQBg78wAQgE\nHQwbaHR0cHM6Ly9hY2NvdW50cy5nb29nbGUuY29tMIGKBgorBgEEAdZ5AgQCBHwE\negB4AHYA3T0wasbHETJjGR4cmWc3AqJKXrjePK3/h4pygC8p7o4AAAGcBbplhgAA\nBAMARzBFAiEArJ47w4hsFEsCrQ8G4mkOUv2bxttQ73tJx3k8VDpuLVkCIE0cL5Jd\nxD20vOU/M28pGeKIpnVQm7Nf4sy315RhN3/UMAoGCCqGSM49BAMDA2gAMGUCMQCq\n5BamhZNpbA1hTxpdFTElPOhSzEztN2ODPPuYRwOzPkoPnmewWcnGizRNleKhig8C\nMGyY51okiHTMjM6P83oHhVCv63EOoSi8XDNycMWbPYDxjwJVRHVk5vqAAaajtEPN\ngA==\n-----END CERTIFICATE-----\n"
+      }
+    ]
+  }
+}