As git started to support SSH signing since yesterday, I am polling interest to start supporting this in go-git. While we are at it, it would likely be beneficial to add support for x509 signed commits as well (possible using e.g. smimesign).

Changes required, based on a quick analysis:

• Detect signature "headers" other than PGP in

  • go-git/plumbing/object/commit.go

    Line 170 in bd662b0

    func (c *Commit) Decode(o plumbing.EncodedObject) (err error) {

  • go-git/plumbing/object/tag.go

    Line 138 in bd662b0

    if bytes.Contains(data, []byte(beginpgp)) {

• Ensure the signatures are made available in Commit and Tag
• Adapt Verify logic to work with multiple signature types.

The latter seems to be the hardest part, as the current contract assumes an armored key ring. One way to make this backwards compatible would be to just assume the string data is the correct data to verify the type, but I am open to alternatives.