From 9d9d1847285d5312469b2a1514b5e4e772df5f73 Mon Sep 17 00:00:00 2001
From: Sanskar Jaiswal <jaiswalsanskar078@gmail.com>
Date: Fri, 4 Aug 2023 13:47:12 +0530
Subject: [PATCH] gitrepo: add tests for verifying tag signatures

Signed-off-by: Sanskar Jaiswal <jaiswalsanskar078@gmail.com>
---
 .../gitrepository_controller_test.go          | 417 +++++++++++++++---
 1 file changed, 355 insertions(+), 62 deletions(-)

diff --git a/internal/controller/gitrepository_controller_test.go b/internal/controller/gitrepository_controller_test.go
index cd3c085eb..6a0dd0109 100644
--- a/internal/controller/gitrepository_controller_test.go
+++ b/internal/controller/gitrepository_controller_test.go
@@ -64,15 +64,20 @@ import (
 )
 
 const (
-	encodedCommitFixture = `tree f0c522d8cc4c90b73e2bc719305a896e7e3c108a
-parent eb167bc68d0a11530923b1f24b4978535d10b879
-author Stefan Prodan <stefan.prodan@gmail.com> 1633681364 +0300
-committer Stefan Prodan <stefan.prodan@gmail.com> 1633681364 +0300
+	encodedCommitFixture = `tree 35f0b28987e60d4b8dec1f707fd07fef5ad84abc
+parent 8b52742dbc848eb0975e62ae00fbfa4f8108e835
+author Sanskar Jaiswal <jaiswalsanskar078@gmail.com> 1691045123 +0530
+committer Sanskar Jaiswal <jaiswalsanskar078@gmail.com> 1691068951 +0530
 
-Update containerd and runc to fix CVEs
+git/e2e: disable CGO while running e2e tests
 
-Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
+Disable CGO for Git e2e tests as it was originially required because of
+our libgit2 client. Since we no longer maintain a libgit2 client, there
+is no need to run the tests with CGO enabled.
+
+Signed-off-by: Sanskar Jaiswal <jaiswalsanskar078@gmail.com>
 `
+
 	malformedEncodedCommitFixture = `parent eb167bc68d0a11530923b1f24b4978535d10b879
 author Stefan Prodan <stefan.prodan@gmail.com> 1633681364 +0300
 committer Stefan Prodan <stefan.prodan@gmail.com> 1633681364 +0300
@@ -83,62 +88,74 @@ Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
 `
 	signatureCommitFixture = `-----BEGIN PGP SIGNATURE-----
 
-iHUEABEIAB0WIQQHgExUr4FrLdKzpNYyma6w5AhbrwUCYV//1AAKCRAyma6w5Ahb
-r7nJAQCQU4zEJu04/Q0ac/UaL6htjhq/wTDNMeUM+aWG/LcBogEAqFUea1oR2BJQ
-JCJmEtERFh39zNWSazQmxPAFhEE0kbc=
-=+Wlj
+iQIzBAABCAAdFiEEOxEY0f3iSZ5rKQ+vWYLQJ5wif/0FAmTLqnEACgkQWYLQJ5wi
+f/1mYw/+LRttvfPrfYl7ASUBGYSQuDzjeold8OO1LpmwjrKPpX4ivZbXHh+lJF0F
+fqudKuJfJzeQCHsMZjnfgvXHd2VvxPh1jX6h3JLuNu7d4g1DtNQsKJtsLx7JW99X
+J9Bb1xj0Ghh2PkrWEB9vpw+uZz4IhFrB+DNNLRNBkon3etrS1q57q8dhQFIhLI1y
+ij3rq3kFHjrNNdokIv2ujyVJtWgy2fK2ELW5v2dznpykOo7hQEKgtOIHPBzGBFT0
+dUFjB99Qy4Qgjh3vWaY4fZ3u/vhp3swmw91OlDkFeyndWjDSZhzYnb7wY+U6z35C
+aU4Gzc71CquSd/nTdOEkpuolBVWV5cBkM+Nxi8jtVGBeDDFE49j27a3lQ3+qtT7/
+q4FCe5Jw3GSOJvaLBLGmYVn9fc49t/28b5tkGtCHs3ATpsJohzELEIiDP90Me7hQ
+Joks3ML38T4J/zZ4/ObbVMkrCEATYe3r1Ep7+e6VmOG9iTg0JIexexddjHX26Tgu
+iuVP2GD/8PceqgNW/LPX84Ub32WTKPZJg+NyliDjH5QOvmguK1dRtSb/9eyYcoSF
+Fkf0HcgG5jOk0OZJv0QcqXd9PhB4oXeuXgGszo9M+fhr3nWvEooAJtIyLtVtt/u2
+rNNB7xkZ1uWx+52w9RG2gmZh+LaESwd1rNXgUFLNBebNN3jNzsA=
+=73xf
 -----END PGP SIGNATURE-----`
+
+	encodedTagFixture = `object 11525516bd55152ce68848bb14680aad43f18479
+type commit
+tag v0.1.0
+tagger Sanskar Jaiswal <jaiswalsanskar078@gmail.com> 1691132850 +0530
+
+v0.1.0
+`
+	signatureTagFixture = `-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCAAdFiEEOxEY0f3iSZ5rKQ+vWYLQJ5wif/0FAmTMo7IACgkQWYLQJ5wi
+f/1uUQ/9F70u8LZZQ3+U2vuYQ8fyVp/AV5h5zwxK5UlkR1crB0gSpdaiIxMMQRc8
+4QQIqCXloSHherUu9SPbDe9Qmr0JL8a57XqThjUSa52IYMDVos9sYwViJit+xGyz
+HDot2nQ8MAqkDaiuwAnTqOyTPA89U36lGV/X/25mYxAuED+8xFx1OfvjGkX2eMEr
+peWJ8VEfdFr2OmWwFceh6iF/izIaZGttwCyNy4BIh2W0GvUtQAxzqF4IzUvwfJU/
+bgARaHKQhWqFhDNImttsqJBweWavEDDmUgNg80c3cUZKqBtAjElToP9gis/SnPH5
+zaCAH66OzyKIhn6lde7KpOzyqbOyzddTa8SKkAAHyO7onukOktV8W9toeAxlF20q
+Bw0MZGzAGisF8EK1HVv8UzrW9vAwdJN/yDIHWkjaeHr2FHmeV3a2QxH9PdwbE3tI
+B21TCVULJuM8oR0ZG62xzg5ba5HiZMiilNMJdrBfjk5xYGk3LQU1gB4FVYa7yTsN
+YfAokYtUIG187Qb8vPr1P95TzZxKdb7r/PAKEbGPro5D2Rri8OnxO/OaXG/giWS5
+5gRGmsQjvMsbzE/2PVc9+jshtZM49xL9H3DMjAWtO6MFbOqGqdi4MBa0T4qj6sZz
+AbSLuRIBpXDES86faDXLRmufc95+iA/fh7W23G6vmd+SjXnCcHc=
+=o4nf
+-----END PGP SIGNATURE-----
+`
+
 	armoredKeyRingFixture = `-----BEGIN PGP PUBLIC KEY BLOCK-----
 
-mQSuBF9+HgMRDADKT8UBcSzpTi4JXt/ohhVW3x81AGFPrQvs6MYrcnNJfIkPTJD8
-mY5T7j1fkaN5wcf1wnxM9qTcW8BodkWNGEoEYOtVuigLSxPFqIncxK0PHvdU8ths
-TEInBrgZv9t6xIVa4QngOEUd2D/aYni7M+75z7ntgj6eU1xLZ60upRFn05862OvJ
-rZFUvzjsZXMAO3enCu2VhG/2axCY/5uI8PgWjyiKV2TH4LBJgzlb0v6SyI+fYf5K
-Bg2WzDuLKvQBi9tFSwnUbQoFFlOeiGW8G/bdkoJDWeS1oYgSD3nkmvXvrVESCrbT
-C05OtQOiDXjSpkLim81vNVPtI2XEug+9fEA+jeJakyGwwB+K8xqV3QILKCoWHKGx
-yWcMHSR6cP9tdXCk2JHZBm1PLSJ8hIgMH/YwBJLYg90u8lLAs9WtpVBKkLplzzgm
-B4Z4VxCC+xI1kt+3ZgYvYC+oUXJXrjyAzy+J1f+aWl2+S/79glWgl/xz2VibWMz6
-nZUE+wLMxOQqyOsBALsoE6z81y/7gfn4R/BziBASi1jq/r/wdboFYowmqd39DACX
-+i+V0OplP2TN/F5JajzRgkrlq5cwZHinnw+IFwj9RTfOkdGb3YwhBt/h2PP38969
-ZG+y8muNtaIqih1pXj1fz9HRtsiCABN0j+JYpvV2D2xuLL7P1O0dt5BpJ3KqNCRw
-mGgO2GLxbwvlulsLidCPxdK/M8g9Eeb/xwA5LVwvjVchHkzHuUT7durn7AT0RWiK
-BT8iDfeBB9RKienAbWyybEqRaR6/Tv+mghFIalsDiBPbfm4rsNzsq3ohfByqECiy
-yUvs2O3NDwkoaBDkA3GFyKv8/SVpcuL5OkVxAHNCIMhNzSgotQ3KLcQc0IREfFCa
-3CsBAC7CsE2bJZ9IA9sbBa3jimVhWUQVudRWiLFeYHUF/hjhqS8IHyFwprjEOLaV
-EG0kBO6ELypD/bOsmN9XZLPYyI3y9DM6Vo0KMomE+yK/By/ZMxVfex8/TZreUdhP
-VdCLL95Rc4w9io8qFb2qGtYBij2wm0RWLcM0IhXWAtjI3B17IN+6hmv+JpiZccsM
-AMNR5/RVdXIl0hzr8LROD0Xe4sTyZ+fm3mvpczoDPQNRrWpmI/9OT58itnVmZ5jM
-7djV5y/NjBk63mlqYYfkfWto97wkhg0MnTnOhzdtzSiZQRzj+vf+ilLfIlLnuRr1
-JRV9Skv6xQltcFArx4JyfZCo7JB1ZXcbdFAvIXXS11RTErO0XVrXNm2RenpW/yZA
-9f+ESQ/uUB6XNuyqVUnJDAFJFLdzx8sO3DXo7dhIlgpFqgQobUl+APpbU5LT95sm
-89UrV0Lt9vh7k6zQtKOjEUhm+dErmuBnJo8MvchAuXLagHjvb58vYBCUxVxzt1KG
-2IePwJ/oXIfawNEGad9Lmdo1FYG1u53AKWZmpYOTouu92O50FG2+7dBh0V2vO253
-aIGFRT1r14B1pkCIun7z7B/JELqOkmwmlRrUnxlADZEcQT3z/S8/4+2P7P6kXO7X
-/TAX5xBhSqUbKe3DhJSOvf05/RVL5ULc2U2JFGLAtmBOFmnD/u0qoo5UvWliI+v/
-47QnU3RlZmFuIFByb2RhbiA8c3RlZmFuLnByb2RhbkBnbWFpbC5jb20+iJAEExEI
-ADgWIQQHgExUr4FrLdKzpNYyma6w5AhbrwUCX34eAwIbAwULCQgHAgYVCgkICwIE
-FgIDAQIeAQIXgAAKCRAyma6w5Ahbrzu/AP9l2YpRaWZr6wSQuEn0gMN8DRzsWJPx
-pn0akdY7SRP3ngD9GoKgu41FAItnHAJ2KiHv/fHFyHMndNP3kPGPNW4BF+65Aw0E
-X34eAxAMAMdYFCHmVA8TZxSTMBDpKYave8RiDCMMMjk26Gl0EPN9f2Y+s5++DhiQ
-hojNH9VmJkFwZX1xppxe1y1aLa/U6fBAqMP/IdNH8270iv+A9YIxdsWLmpm99BDO
-3suRfsHcOe9T0x/CwRfDNdGM/enGMhYGTgF4VD58DRDE6WntaBhl4JJa300NG6X0
-GM4Gh59DKWDnez/Shulj8demlWmakP5imCVoY+omOEc2k3nH02U+foqaGG5WxZZ+
-GwEPswm2sBxvn8nwjy9gbQwEtzNI7lWYiz36wCj2VS56Udqt+0eNg8WzocUT0XyI
-moe1qm8YJQ6fxIzaC431DYi/mCDzgx4EV9ww33SXX3Yp2NL6PsdWJWw2QnoqSMpM
-z5otw2KlMgUHkkXEKs0apmK4Hu2b6KD7/ydoQRFUqR38Gb0IZL1tOL6PnbCRUcig
-Aypy016W/WMCjBfQ8qxIGTaj5agX2t28hbiURbxZkCkz+Z3OWkO0Rq3Y2hNAYM5s
-eTn94JIGGwADBgv/dbSZ9LrBvdMwg8pAtdlLtQdjPiT1i9w5NZuQd7OuKhOxYTEB
-NRDTgy4/DgeNThCeOkMB/UQQPtJ3Et45S2YRtnnuvfxgnlz7xlUn765/grtnRk4t
-ONjMmb6tZos1FjIJecB/6h4RsvUd2egvtlpD/Z3YKr6MpNjWg4ji7m27e9pcJfP6
-YpTDrq9GamiHy9FS2F2pZlQxriPpVhjCLVn9tFGBIsXNxxn7SP4so6rJBmyHEAlq
-iym9wl933e0FIgAw5C1vvprYu2amk+jmVBsJjjCmInW5q/kWAFnFaHBvk+v+/7tX
-hywWUI7BqseikgUlkgJ6eU7E9z1DEyuS08x/cViDoNh2ntVUhpnluDu48pdqBvvY
-a4uL/D+KI84THUAJ/vZy+q6G3BEb4hI9pFjgrdJpUKubxyZolmkCFZHjV34uOcTc
-LQr28P8xW8vQbg5DpIsivxYLqDGXt3OyiItxvLMtw/ypt6PkoeP9A4KDST4StITE
-1hrOrPtJ/VRmS2o0iHgEGBEIACAWIQQHgExUr4FrLdKzpNYyma6w5AhbrwUCX34e
-AwIbDAAKCRAyma6w5Ahbr6QWAP9/pl2R6r1nuCnXzewSbnH1OLsXf32hFQAjaQ5o
-Oomb3gD/TRf/nAdVED+k81GdLzciYdUGtI71/qI47G0nMBluLRE=
-=/4e+
+mQINBGQmiZ0BEACwsubUFoWtp6iJDK9oUN4RhPS0bAKpcRTa7P/rTCD/MbTMYdWC
+4vod3FMm4+rNF0SESxY67MGmR4M3dSyOZkCijqHm9jDVOvN847LOl5bntkm8Euxm
+LkpfsBWng09+gtfwuKxOxPMY017D1jM23OGbrqznHaokerFeDp9sJf1C7Z9jVf39
+oB/MF0bMdUJuxFFBdpoI73DORlAVUI14mfDbFj7v02Spkv1hqS2LtJ/Jl4QR/Vw4
+mR71aFmGFWqLBlkUOjJ2SZGkCmF/qbUdLmVb7yZUtqtua4DVkBPTORfOMhGDbrME
+Nmb6Ft5neZwU0ETsT/oc6Np+PDFSUDBxu0CbKG6bw7N2y8RfiVJTaoNLFoFGV5dA
+K8OpyTxU4IEPDMpkWs7tpRxPCC02uCfyqlvdF4EURXYXTj54DDLOGQjoqB+iGtVi
+y2dQ4cuNhfuIFCFTA16s41DwmB0fQuOg3yfPPo7+jUefD+iAt3CZ9Guvu5+/mGyq
+KxSBBRFHc8ED/L7JLPMU6tZglaPch9P4H6Fi2swDryyZQn/a2kYanEh9v1wL94L4
+3gUdjIYP8kjfg7nnS2FX9hl5FtPeM3jvnWjfv9jR+c8HWQZY2wM3Rj5iulu70K2U
+pkdRUN0p2D5+Kq6idNreNoPlpQGoUOYrtAfOwtDFgMwuOZ78XkSIbFhtgwARAQAB
+tEVTYW5za2FyIEphaXN3YWwgKEdpdEh1YiBHUEcgc2lnaW5nIGtleSkgPGphaXN3
+YWxzYW5za2FyMDc4QGdtYWlsLmNvbT6JAk4EEwEIADgWIQQ7ERjR/eJJnmspD69Z
+gtAnnCJ//QUCZCaJnQIbAwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRBZgtAn
+nCJ//dF4D/0Tl5Wre6KrZvjDs5loulhN8YMYb63jr+x1eVkpMpta51XvZvkZFoiY
+9T4MQX+qgAkTrUJsxgWUwtVtDfmbyLXodDRS6JUbCRiMu12VD7mNT+lUfuhR2sJv
+rHZoolQp7X4DTea1R64PcttfmlGO2pUNpGNmhojO0PahXqOCHmEUWBJQhI8RvOcs
+zRjEzDcAcEgtMGzamq6DR54YxyzGE8V9b5WD/elmEXM6uWW+CkfX8WskKbLdRY0t
++GQ1pOtf3tKxD46I3LIsUEwbyh4Dv4vJbZmyxjI+FKbSCW5tMrz/ZWrPNl0m+pDI
+Yn0+GWed2pgTMFh3VAhYCyIVugKynlaToH+D2z3DnuEp3Jfs+b1BdirS/PW79tW7
+rjCJzqofF2UPyK0mzdYL+P3k9Hip5J0bCGoeMdCLsP5fYq3Y1YS4bH4JkDm52y+r
+y89AH4LHHQt+A7w19I+6M2jmcNnDUMrpuSo84GeoM59O3fU7hLCC1Jx4hj7EBRrb
+QzY5FInrE/WTcgFRljK46zhW4ybmfak/xJV654UqJCDWlVbc68D8JrKNQOj7gdPs
+zh1+m2pFDEhWZkaFtQbSEpXMIJ9DsCoyQL4Knl+89VxHsrIyAJsmGb3V8xvtv5w9
+QuWtsDnYbvDHtTpu1NZChVrnr/l1k3C2fcLhV1s583AvhGMkbgSXkQ==
+=Tdjz
 -----END PGP PUBLIC KEY BLOCK-----
 `
 )
@@ -1525,7 +1542,7 @@ func TestGitRepositoryReconciler_verifyCommitSignature(t *testing.T) {
 		assertConditions []metav1.Condition
 	}{
 		{
-			name: "Valid commit makes SourceVerifiedCondition=True",
+			name: "Valid commit with mode=head makes SourceVerifiedCondition=True",
 			secret: &corev1.Secret{
 				ObjectMeta: metav1.ObjectMeta{
 					Name: "existing",
@@ -1550,7 +1567,107 @@ func TestGitRepositoryReconciler_verifyCommitSignature(t *testing.T) {
 			},
 			want: sreconcile.ResultSuccess,
 			assertConditions: []metav1.Condition{
-				*conditions.TrueCondition(sourcev1.SourceVerifiedCondition, meta.SucceededReason, "verified signature of commit 'shasum' with key '3299AEB0E4085BAF'"),
+				*conditions.TrueCondition(sourcev1.SourceVerifiedCondition, sourcev1.VerifiedCommitReason, "verified signature of commit 'shasum' with key '5982D0279C227FFD'"),
+			},
+		},
+		{
+			name: "Valid tag with mode=tag makes SourceVerifiedCondition=True",
+			secret: &corev1.Secret{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "existing",
+				},
+				Data: map[string][]byte{
+					"foo": []byte(armoredKeyRingFixture),
+				},
+			},
+			commit: git.Commit{
+				ReferencingTag: &git.AnnotatedTag{
+					Name:      "v0.1.0",
+					Hash:      []byte("shasum"),
+					Encoded:   []byte(encodedTagFixture),
+					Signature: signatureTagFixture,
+				},
+			},
+			beforeFunc: func(obj *sourcev1.GitRepository) {
+				obj.Spec.Reference = &sourcev1.GitRepositoryRef{
+					Tag: "v0.1.0",
+				}
+				obj.Spec.Interval = metav1.Duration{Duration: interval}
+				obj.Spec.Verification = &sourcev1.GitRepositoryVerification{
+					Mode: "tag",
+					SecretRef: meta.LocalObjectReference{
+						Name: "existing",
+					},
+				}
+			},
+			want: sreconcile.ResultSuccess,
+			assertConditions: []metav1.Condition{
+				*conditions.TrueCondition(sourcev1.SourceVerifiedCondition, sourcev1.VerifiedTagReason, "verified signature of tag 'v0.1.0@shasum' with key '5982D0279C227FFD'"),
+			},
+		},
+		{
+			name: "Valid tag and commit with mode=tagAndHead makes SourceVerifiedCondition=True",
+			secret: &corev1.Secret{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "existing",
+				},
+				Data: map[string][]byte{
+					"foo": []byte(armoredKeyRingFixture),
+				},
+			},
+			commit: git.Commit{
+				Hash:      []byte("shasum"),
+				Encoded:   []byte(encodedCommitFixture),
+				Signature: signatureCommitFixture,
+				ReferencingTag: &git.AnnotatedTag{
+					Name:      "v0.1.0",
+					Hash:      []byte("shasum"),
+					Encoded:   []byte(encodedTagFixture),
+					Signature: signatureTagFixture,
+				},
+			},
+			beforeFunc: func(obj *sourcev1.GitRepository) {
+				obj.Spec.Reference = &sourcev1.GitRepositoryRef{
+					Tag: "v0.1.0",
+				}
+				obj.Spec.Interval = metav1.Duration{Duration: interval}
+				obj.Spec.Verification = &sourcev1.GitRepositoryVerification{
+					Mode: "tagAndHead",
+					SecretRef: meta.LocalObjectReference{
+						Name: "existing",
+					},
+				}
+			},
+			want: sreconcile.ResultSuccess,
+			assertConditions: []metav1.Condition{
+				*conditions.TrueCondition(sourcev1.SourceVerifiedCondition, sourcev1.VerifiedTagAndCommitReason, "verified signature of commit 'shasum' with key '5982D0279C227FFD' and signature of tag 'v0.1.0@shasum' with key '5982D0279C227FFD'"),
+			},
+		},
+		{
+			name: "Verification of tag with no tag ref marks the object as stalled",
+			secret: &corev1.Secret{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "existing",
+				},
+				Data: map[string][]byte{
+					"foo": []byte(armoredKeyRingFixture),
+				},
+			},
+			beforeFunc: func(obj *sourcev1.GitRepository) {
+				obj.Spec.Reference = &sourcev1.GitRepositoryRef{
+					Branch: "main",
+				}
+				obj.Spec.Interval = metav1.Duration{Duration: interval}
+				obj.Spec.Verification = &sourcev1.GitRepositoryVerification{
+					Mode: "tag",
+					SecretRef: meta.LocalObjectReference{
+						Name: "existing",
+					},
+				}
+			},
+			wantErr: true,
+			assertConditions: []metav1.Condition{
+				*conditions.TrueCondition(meta.StalledCondition, "InvalidVerificationMode", "cannot verify tag object's signature if a tag reference is not specified"),
 			},
 		},
 		{
@@ -1576,7 +1693,36 @@ func TestGitRepositoryReconciler_verifyCommitSignature(t *testing.T) {
 			},
 			wantErr: true,
 			assertConditions: []metav1.Condition{
-				*conditions.FalseCondition(sourcev1.SourceVerifiedCondition, "InvalidCommitSignature", "signature verification of commit 'shasum' failed: unable to verify commit with any of the given key rings"),
+				*conditions.FalseCondition(sourcev1.SourceVerifiedCondition, "InvalidCommitSignature", "signature verification of commit 'shasum' failed: unable to verify Git commit: unable to verify payload with any of the given key rings"),
+			},
+		},
+		{
+			name: "Invalid PGP key sets no SourceVerifiedCondition and returns error",
+			secret: &corev1.Secret{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "invalid",
+				},
+				Data: map[string][]byte{
+					"foo": []byte("invalid PGP public key"),
+				},
+			},
+			commit: git.Commit{
+				Hash:      []byte("shasum"),
+				Encoded:   []byte(malformedEncodedCommitFixture),
+				Signature: signatureCommitFixture,
+			},
+			beforeFunc: func(obj *sourcev1.GitRepository) {
+				obj.Spec.Interval = metav1.Duration{Duration: interval}
+				obj.Spec.Verification = &sourcev1.GitRepositoryVerification{
+					Mode: "head",
+					SecretRef: meta.LocalObjectReference{
+						Name: "invalid",
+					},
+				}
+			},
+			wantErr: true,
+			assertConditions: []metav1.Condition{
+				*conditions.FalseCondition(sourcev1.SourceVerifiedCondition, "InvalidCommitSignature", "signature verification of commit 'shasum' failed: unable to verify Git commit: unable to read armored key ring: openpgp: invalid argument: no armored data found"),
 			},
 		},
 		{
@@ -2797,3 +2943,150 @@ func TestGitContentConfigChanged(t *testing.T) {
 		})
 	}
 }
+
+func Test_requiresVerification(t *testing.T) {
+	tests := []struct {
+		name string
+		obj  *sourcev1.GitRepository
+		want bool
+	}{
+		{
+			name: "GitRepository without verification does not require verification",
+			obj: &sourcev1.GitRepository{
+				Spec: sourcev1.GitRepositorySpec{},
+			},
+			want: false,
+		},
+		{
+			name: "GitRepository with verification and no SourceVerifiedCondition in status requires verification",
+			obj: &sourcev1.GitRepository{
+				Spec: sourcev1.GitRepositorySpec{
+					Verification: &sourcev1.GitRepositoryVerification{},
+				},
+			},
+			want: true,
+		},
+		{
+			name: "GitRepository with HEAD verification and a verified tag requires verification",
+			obj: &sourcev1.GitRepository{
+				Spec: sourcev1.GitRepositorySpec{
+					Verification: &sourcev1.GitRepositoryVerification{
+						Mode: "head",
+					},
+				},
+				Status: sourcev1.GitRepositoryStatus{
+					Conditions: []metav1.Condition{
+						{
+							Type:   sourcev1.SourceVerifiedCondition,
+							Reason: sourcev1.VerifiedTagReason,
+						},
+					},
+				},
+			},
+			want: true,
+		},
+		{
+			name: "GitRepository with tag and HEAD verification and a verified tag requires verification",
+			obj: &sourcev1.GitRepository{
+				Spec: sourcev1.GitRepositorySpec{
+					Verification: &sourcev1.GitRepositoryVerification{
+						Mode: "tagAndHead",
+					},
+				},
+				Status: sourcev1.GitRepositoryStatus{
+					Conditions: []metav1.Condition{
+						{
+							Type:   sourcev1.SourceVerifiedCondition,
+							Reason: sourcev1.VerifiedTagReason,
+						},
+					},
+				},
+			},
+			want: true,
+		},
+		{
+			name: "GitRepository with tag verification and a verified HEAD requires verification",
+			obj: &sourcev1.GitRepository{
+				Spec: sourcev1.GitRepositorySpec{
+					Verification: &sourcev1.GitRepositoryVerification{
+						Mode: "tag",
+					},
+				},
+				Status: sourcev1.GitRepositoryStatus{
+					Conditions: []metav1.Condition{
+						{
+							Type:   sourcev1.SourceVerifiedCondition,
+							Reason: sourcev1.VerifiedCommitReason,
+						},
+					},
+				},
+			},
+			want: true,
+		},
+		{
+			name: "GitRepository with tag and HEAD verification and a verified HEAD requires verification",
+			obj: &sourcev1.GitRepository{
+				Spec: sourcev1.GitRepositorySpec{
+					Verification: &sourcev1.GitRepositoryVerification{
+						Mode: "tagAndHead",
+					},
+				},
+				Status: sourcev1.GitRepositoryStatus{
+					Conditions: []metav1.Condition{
+						{
+							Type:   sourcev1.SourceVerifiedCondition,
+							Reason: sourcev1.VerifiedCommitReason,
+						},
+					},
+				},
+			},
+			want: true,
+		},
+		{
+			name: "GitRepository with tag verification and a verified HEAD and tag does not require verification",
+			obj: &sourcev1.GitRepository{
+				Spec: sourcev1.GitRepositorySpec{
+					Verification: &sourcev1.GitRepositoryVerification{
+						Mode: "tag",
+					},
+				},
+				Status: sourcev1.GitRepositoryStatus{
+					Conditions: []metav1.Condition{
+						{
+							Type:   sourcev1.SourceVerifiedCondition,
+							Reason: sourcev1.VerifiedTagAndCommitReason,
+						},
+					},
+				},
+			},
+			want: false,
+		},
+		{
+			name: "GitRepository with head verification and a verified HEAD and tag does not require verification",
+			obj: &sourcev1.GitRepository{
+				Spec: sourcev1.GitRepositorySpec{
+					Verification: &sourcev1.GitRepositoryVerification{
+						Mode: "head",
+					},
+				},
+				Status: sourcev1.GitRepositoryStatus{
+					Conditions: []metav1.Condition{
+						{
+							Type:   sourcev1.SourceVerifiedCondition,
+							Reason: sourcev1.VerifiedTagAndCommitReason,
+						},
+					},
+				},
+			},
+			want: false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			g := NewWithT(t)
+			verificationRequired := requiresVerification(tt.obj)
+			g.Expect(verificationRequired).To(Equal(tt.want))
+		})
+	}
+}