Display x509 signed tags

Closes #122157

app/helpers/x509_helper.rb

@@ -16,4 +16,8 @@ module X509Helper
   rescue
     {}
   end
+
+  def x509_signature?(sig)
+    sig.is_a?(X509CommitSignature) || sig.is_a?(Gitlab::X509::Signature)
+  end
 end

app/models/x509_commit_signature.rb

@@ -41,4 +41,8 @@ class X509CommitSignature < ApplicationRecord
 
     Gitlab::X509::Commit.new(commit)
   end
+
+  def user
+    commit.committer
+  end
 end

app/views/projects/commit/_signature.html.haml

 - if signature
-  - uri = "projects/commit/#{"x509/" if signature.instance_of?(X509CommitSignature)}"
+  - uri = "projects/commit/#{"x509/" if x509_signature?(signature)}"
   = render partial: "#{uri}#{signature.verification_status}_signature_badge", locals: { signature: signature }

app/views/projects/commit/_signature_badge.html.haml

@@ -17,13 +17,13 @@
 - content = capture do
   - if show_user
     .clearfix
-      - uri_signature_badge_user = "projects/commit/#{"x509/" if signature.instance_of?(X509CommitSignature)}signature_badge_user"
+      - uri_signature_badge_user = "projects/commit/#{"x509/" if x509_signature?(signature)}signature_badge_user"
       = render partial: "#{uri_signature_badge_user}", locals: { signature: signature }
 
-  - if signature.instance_of?(X509CommitSignature)
+  - if x509_signature?(signature)
     = render partial: "projects/commit/x509/certificate_details", locals: { signature: signature }
 
-    = link_to(_('Learn more about x509 signed commits'), help_page_path('user/project/repository/x509_signed_commits/index.md'), class: 'gpg-popover-help-link')
+    = link_to(_('Learn more about X.509 signed commits'), help_page_path('user/project/repository/x509_signed_commits/index.md'), class: 'gpg-popover-help-link')
   - else
     = _('GPG Key ID:')
     %span.monospace= signature.gpg_key_primary_keyid

app/views/projects/commit/x509/_signature_badge_user.html.haml

-- user = signature.commit.committer
 - user_email = signature.x509_certificate.email
+- user = signature.user
 
 - if user
   = link_to user_path(user), class: 'gpg-popover-user-link' do

app/views/projects/tags/_tag.html.haml

@@ -30,6 +30,9 @@
           = markdown_field(release, :description)
 
   .row-fixed-content.controls.flex-row
+    - if tag.has_signature?
+      = render partial: 'projects/commit/signature', object: tag.signature
+
     = render 'projects/buttons/download', project: @project, ref: tag.name, pipeline: @tags_pipelines[tag.name]
 
     - if can?(current_user, :admin_tag, @project)

app/views/projects/tags/show.html.haml

@@ -39,6 +39,8 @@
       = s_("TagsPage|Can't find HEAD commit for this tag")
 
   .nav-controls
+    - if @tag.has_signature?
+      = render partial: 'projects/commit/signature', object: @tag.signature
     - if can?(current_user, :admin_tag, @project)
       = link_to edit_project_tag_release_path(@project, @tag.name), class: 'btn btn-edit controls-item has-tooltip', title: s_('TagsPage|Edit release notes') do
         = icon("pencil")

changelogs/unreleased/feat-x509-tag.yml

+---
+title: Display x509 signed tags
+merge_request: 27211
+author: Roger Meier
+type: added

doc/user/project/repository/x509_signed_commits/index.md

@@ -2,7 +2,7 @@
 type: concepts, howto
 ---
 
-# Signing commits with X.509
+# Signing commits and tags with X.509
 
 [X.509](https://en.wikipedia.org/wiki/X.509) is a standard format for public key
 certificates issued by a public or private Public Key Infrastructure (PKI).
@@ -16,7 +16,7 @@ instead of a web of trust with GPG.
 
 GitLab uses its own certificate store and therefore defines the trust chain.
 
-For a commit to be *verified* by GitLab:
+For a commit or tag to be *verified* by GitLab:
 
 - The signing certificate email must match a verified email address used by the committer in GitLab.
 - The Certificate Authority has to be trusted by the GitLab instance, see also
@@ -27,6 +27,11 @@ For a commit to be *verified* by GitLab:
 
 NOTE: **Note:** Certificate revocation lists are checked on a daily basis via background worker.
 
+NOTE: **Note:** Self signed certificates without `authorityKeyIdentifier`,
+`subjectKeyIdentifier`, and `crlDistributionPoints` are not supported. We
+recommend using certificates from a PKI that are in line with
+[RFC 5280](https://tools.ietf.org/html/rfc5280).
+
 ## Obtaining an X.509 key pair
 
 If your organization has Public Key Infrastructure (PKI), that PKI will provide
@@ -98,3 +103,31 @@ To verify that a commit is signed, you can use the `--show-signature` flag:
 ```sh
 git log --show-signature
 ```
+
+## Signing tags
+
+After you have [associated your X.509 certificate with Git](#associating-your-x509-certificate-with-git) you
+can start signing your tags:
+
+1. Tag like you used to, the only difference is the addition of the `-s` flag:
+
+   ```sh
+   git tag -s v1.1.1 -m "My signed tag"
+   ```
+
+1. Push to GitLab and check that your tags [are verified](#verifying-tags).
+
+If you don't want to type the `-s` flag every time you tag, you can tell Git
+to sign your tags automatically:
+
+```sh
+git config --global tag.gpgsign true
+```
+
+## Verifying tags
+
+To verify that a tag is signed, you can use the `--verify` flag:
+
+```sh
+git tag --verify v1.1.1
+```

lib/gitlab/git/tag.rb

@@ -66,6 +66,27 @@ module Gitlab
         @raw_tag.tagger
       end
 
+      def has_signature?
+        signature_type != :NONE
+      end
+
+      def signature_type
+        @raw_tag.signature_type || :NONE
+      end
+
+      def signature
+        return unless has_signature?
+
+        case signature_type
+        when :PGP
+          nil # not implemented, see https://gitlab.com/gitlab-org/gitlab/issues/19260
+        when :X509
+          X509::Tag.new(@raw_tag).signature
+        else
+          nil
+        end
+      end
+
       private
 
       def message_from_gitaly_tag

lib/gitlab/x509/signature.rb

@@ -22,6 +22,10 @@ module Gitlab
         X509Certificate.safe_create!(certificate_attributes) unless verified_signature.nil?
       end
 
+      def user
+        User.find_by_any_email(@email)
+      end
+
       def verified_signature
         strong_memoize(:verified_signature) { verified_signature? }
       end

lib/gitlab/x509/tag.rb

+# frozen_string_literal: true
+require 'openssl'
+require 'digest'
+
+module Gitlab
+  module X509
+    class Tag
+      include Gitlab::Utils::StrongMemoize
+
+      def initialize(raw_tag)
+        @raw_tag = raw_tag
+      end
+
+      def signature
+        signature = X509::Signature.new(signature_text, signed_text, @raw_tag.tagger.email, Time.at(@raw_tag.tagger.date.seconds))
+
+        return if signature.verified_signature.nil?
+
+        signature
+      end
+
+      private
+
+      def signature_text
+        @raw_tag.message.slice(@raw_tag.message.index("-----BEGIN SIGNED MESSAGE-----")..-1)
+      rescue
+        nil
+      end
+
+      def signed_text
+        # signed text is reconstructed as long as there is no specific gitaly function
+        %{object #{@raw_tag.target_commit.id}
+type commit
+tag #{@raw_tag.name}
+tagger #{@raw_tag.tagger.name} <#{@raw_tag.tagger.email}> #{@raw_tag.tagger.date.seconds} #{@raw_tag.tagger.timezone}
+
+#{@raw_tag.message.gsub(/-----BEGIN SIGNED MESSAGE-----(.*)-----END SIGNED MESSAGE-----/m, "")}}
+      end
+    end
+  end
+end

locale/gitlab.pot

@@ -12180,6 +12180,9 @@ msgstr ""
 msgid "Learn more about Web Terminal"
 msgstr ""
 
+msgid "Learn more about X.509 signed commits"
+msgstr ""
+
 msgid "Learn more about adding certificates to your project by following the %{docs_link_start}documentation on GitLab Pages%{docs_link_end}."
 msgstr ""
 
@@ -12201,9 +12204,6 @@ msgstr ""
 msgid "Learn more about the dependency list"
 msgstr ""
 
-msgid "Learn more about x509 signed commits"
-msgstr ""
-
 msgid "Learn more in the"
 msgstr ""
 

spec/helpers/x509_helper_spec.rb

@@ -57,4 +57,22 @@ describe X509Helper do
       end
     end
   end
+
+  describe '#x509_signature?' do
+    let(:x509_signature) { create(:x509_commit_signature) }
+    let(:gpg_signature) { create(:gpg_signature) }
+
+    it 'detects a x509 signed commit' do
+      signature = Gitlab::X509::Signature.new(
+        X509Helpers::User1.signed_commit_signature,
+        X509Helpers::User1.signed_commit_base_data,
+        X509Helpers::User1.certificate_email,
+        X509Helpers::User1.signed_commit_time
+      )
+
+      expect(x509_signature?(x509_signature)).to be_truthy
+      expect(x509_signature?(signature)).to be_truthy
+      expect(x509_signature?(gpg_signature)).to be_falsey
+    end
+  end
 end

spec/lib/gitlab/git/tag_spec.rb

@@ -13,6 +13,13 @@ describe Gitlab::Git::Tag, :seed_helper do
       it { expect(tag.target).to eq("f4e6814c3e4e7a0de82a9e7cd20c626cc963a2f8") }
       it { expect(tag.dereferenced_target.sha).to eq("6f6d7e7ed97bb5f0054f2b1df789b39ca89b6ff9") }
       it { expect(tag.message).to eq("Release") }
+      it { expect(tag.has_signature?).to be_falsey }
+      it { expect(tag.signature_type).to eq(:NONE) }
+      it { expect(tag.signature).to be_nil }
+      it { expect(tag.tagger.name).to eq("Dmitriy Zaporozhets") }
+      it { expect(tag.tagger.email).to eq("dmitriy.zaporozhets@gmail.com") }
+      it { expect(tag.tagger.date).to eq(Google::Protobuf::Timestamp.new(seconds: 1393491299)) }
+      it { expect(tag.tagger.timezone).to eq("+0200") }
     end
 
     describe 'last tag' do
@@ -22,6 +29,29 @@ describe Gitlab::Git::Tag, :seed_helper do
       it { expect(tag.target).to eq("2ac1f24e253e08135507d0830508febaaccf02ee") }
       it { expect(tag.dereferenced_target.sha).to eq("fa1b1e6c004a68b7d8763b86455da9e6b23e36d6") }
       it { expect(tag.message).to eq("Version 1.2.1") }
+      it { expect(tag.has_signature?).to be_falsey }
+      it { expect(tag.signature_type).to eq(:NONE) }
+      it { expect(tag.signature).to be_nil }
+      it { expect(tag.tagger.name).to eq("Douwe Maan") }
+      it { expect(tag.tagger.email).to eq("douwe@selenight.nl") }
+      it { expect(tag.tagger.date).to eq(Google::Protobuf::Timestamp.new(seconds: 1427789449)) }
+      it { expect(tag.tagger.timezone).to eq("+0200") }
+    end
+
+    describe 'signed tag' do
+      let(:project) { create(:project, :repository) }
+      let(:tag) { project.repository.find_tag('v1.1.1') }
+
+      it { expect(tag.target).to eq("8f03acbcd11c53d9c9468078f32a2622005a4841") }
+      it { expect(tag.dereferenced_target.sha).to eq("189a6c924013fc3fe40d6f1ec1dc20214183bc97") }
+      it { expect(tag.message).to eq("x509 signed tag" + "\n" + X509Helpers::User1.signed_tag_signature.chomp) }
+      it { expect(tag.has_signature?).to be_truthy }
+      it { expect(tag.signature_type).to eq(:X509) }
+      it { expect(tag.signature).not_to be_nil }
+      it { expect(tag.tagger.name).to eq("Roger Meier") }
+      it { expect(tag.tagger.email).to eq("r.meier@siemens.com") }
+      it { expect(tag.tagger.date).to eq(Google::Protobuf::Timestamp.new(seconds: 1574261780)) }
+      it { expect(tag.tagger.timezone).to eq("+0100") }
     end
 
     it { expect(repository.tags.size).to eq(SeedRepo::Repo::TAGS.size) }

spec/lib/gitlab/x509/signature_spec.rb

@@ -229,4 +229,164 @@ describe Gitlab::X509::Signature do
       end
     end
   end
+
+  describe '#user' do
+    signature = described_class.new(
+      X509Helpers::User1.signed_tag_signature,
+      X509Helpers::User1.signed_tag_base_data,
+      X509Helpers::User1.certificate_email,
+      X509Helpers::User1.signed_commit_time
+    )
+
+    context 'if email is assigned to a user' do
+      let!(:user) { create(:user, email: X509Helpers::User1.certificate_email) }
+
+      it 'returns user' do
+        expect(signature.user).to eq(user)
+      end
+    end
+
+    it 'if email is not assigned to a user, return nil' do
+      expect(signature.user).to be_nil
+    end
+  end
+
+  context 'tag signature' do
+    let(:certificate_attributes) do
+      {
+        subject_key_identifier: X509Helpers::User1.tag_certificate_subject_key_identifier,
+        subject: X509Helpers::User1.certificate_subject,
+        email: X509Helpers::User1.certificate_email,
+        serial_number: X509Helpers::User1.tag_certificate_serial
+      }
+    end
+
+    let(:issuer_attributes) do
+      {
+        subject_key_identifier: X509Helpers::User1.tag_issuer_subject_key_identifier,
+        subject: X509Helpers::User1.tag_certificate_issuer,
+        crl_url: X509Helpers::User1.tag_certificate_crl
+      }
+    end
+
+    context 'verified signature' do
+      context 'with trusted certificate store' do
+        before do
+          store = OpenSSL::X509::Store.new
+          certificate = OpenSSL::X509::Certificate.new X509Helpers::User1.trust_cert
+          store.add_cert(certificate)
+          allow(OpenSSL::X509::Store).to receive(:new).and_return(store)
+        end
+
+        it 'returns a verified signature if email does match' do
+          signature = described_class.new(
+            X509Helpers::User1.signed_tag_signature,
+            X509Helpers::User1.signed_tag_base_data,
+            X509Helpers::User1.certificate_email,
+            X509Helpers::User1.signed_commit_time
+          )
+
+          expect(signature.x509_certificate).to have_attributes(certificate_attributes)
+          expect(signature.x509_certificate.x509_issuer).to have_attributes(issuer_attributes)
+          expect(signature.verified_signature).to be_truthy
+          expect(signature.verification_status).to eq(:verified)
+        end
+
+        it 'returns an unverified signature if email does not match' do
+          signature = described_class.new(
+            X509Helpers::User1.signed_tag_signature,
+            X509Helpers::User1.signed_tag_base_data,
+            "gitlab@example.com",
+            X509Helpers::User1.signed_commit_time
+          )
+
+          expect(signature.x509_certificate).to have_attributes(certificate_attributes)
+          expect(signature.x509_certificate.x509_issuer).to have_attributes(issuer_attributes)
+          expect(signature.verified_signature).to be_truthy
+          expect(signature.verification_status).to eq(:unverified)
+        end
+
+        it 'returns an unverified signature if email does match and time is wrong' do
+          signature = described_class.new(
+            X509Helpers::User1.signed_tag_signature,
+            X509Helpers::User1.signed_tag_base_data,
+            X509Helpers::User1.certificate_email,
+            Time.new(2020, 2, 22)
+          )
+
+          expect(signature.x509_certificate).to have_attributes(certificate_attributes)
+          expect(signature.x509_certificate.x509_issuer).to have_attributes(issuer_attributes)
+          expect(signature.verified_signature).to be_falsey
+          expect(signature.verification_status).to eq(:unverified)
+        end
+
+        it 'returns an unverified signature if certificate is revoked' do
+          signature = described_class.new(
+            X509Helpers::User1.signed_tag_signature,
+            X509Helpers::User1.signed_tag_base_data,
+            X509Helpers::User1.certificate_email,
+            X509Helpers::User1.signed_commit_time
+          )
+
+          expect(signature.verification_status).to eq(:verified)
+
+          signature.x509_certificate.revoked!
+
+          expect(signature.verification_status).to eq(:unverified)
+        end
+      end
+
+      context 'without trusted certificate within store' do
+        before do
+          store = OpenSSL::X509::Store.new
+          allow(OpenSSL::X509::Store).to receive(:new)
+              .and_return(
+                store
+              )
+        end
+
+        it 'returns an unverified signature' do
+          signature = described_class.new(
+            X509Helpers::User1.signed_tag_signature,
+            X509Helpers::User1.signed_tag_base_data,
+            X509Helpers::User1.certificate_email,
+            X509Helpers::User1.signed_commit_time
+          )
+
+          expect(signature.x509_certificate).to have_attributes(certificate_attributes)
+          expect(signature.x509_certificate.x509_issuer).to have_attributes(issuer_attributes)
+          expect(signature.verified_signature).to be_falsey
+          expect(signature.verification_status).to eq(:unverified)
+        end
+      end
+    end
+
+    context 'invalid signature' do
+      it 'returns nil' do
+        signature = described_class.new(
+          X509Helpers::User1.signed_tag_signature.tr('A', 'B'),
+          X509Helpers::User1.signed_tag_base_data,
+          X509Helpers::User1.certificate_email,
+          X509Helpers::User1.signed_commit_time
+        )
+        expect(signature.x509_certificate).to be_nil
+        expect(signature.verified_signature).to be_falsey
+        expect(signature.verification_status).to eq(:unverified)
+      end
+    end
+
+    context 'invalid message' do
+      it 'returns nil' do
+        signature = described_class.new(
+          X509Helpers::User1.signed_tag_signature,
+          'x',
+          X509Helpers::User1.certificate_email,
+          X509Helpers::User1.signed_commit_time
+        )
+        expect(signature.x509_certificate).to be_nil
+        expect(signature.verified_signature).to be_falsey
+        expect(signature.verification_status).to eq(:unverified)
+      end
+    end
+  end
 end

spec/lib/gitlab/x509/tag_spec.rb

+# frozen_string_literal: true
+require 'spec_helper'
+
+describe Gitlab::X509::Tag do
+  subject(:signature) { described_class.new(tag).signature }
+
+  describe '#signature' do
+    let(:repository) { Gitlab::Git::Repository.new('default', TEST_REPO_PATH, '', 'group/project') }
+    let(:project) { create(:project, :repository) }
+
+    describe 'signed tag' do
+      let(:tag) { project.repository.find_tag('v1.1.1') }
+      let(:certificate_attributes) do
+        {
+          subject_key_identifier: X509Helpers::User1.tag_certificate_subject_key_identifier,
+          subject: X509Helpers::User1.certificate_subject,
+          email: X509Helpers::User1.certificate_email,
+          serial_number: X509Helpers::User1.tag_certificate_serial
+        }
+      end
+
+      let(:issuer_attributes) do
+        {
+          subject_key_identifier: X509Helpers::User1.tag_issuer_subject_key_identifier,
+          subject: X509Helpers::User1.tag_certificate_issuer,
+          crl_url: X509Helpers::User1.tag_certificate_crl
+        }
+      end
+
+      it { expect(signature).not_to be_nil }
+      it { expect(signature.verification_status).to eq(:unverified) }
+      it { expect(signature.x509_certificate).to have_attributes(certificate_attributes) }
+      it { expect(signature.x509_certificate.x509_issuer).to have_attributes(issuer_attributes) }
+    end
+
+    context 'unsigned tag' do
+      let(:tag) { project.repository.find_tag('v1.0.0') }
+
+      it { expect(signature).to be_nil }
+    end
+  end
+end

spec/models/x509_commit_signature_spec.rb

@@ -9,6 +9,15 @@ RSpec.describe X509CommitSignature do
   let(:x509_certificate) { create(:x509_certificate) }
   let(:x509_signature) { create(:x509_commit_signature, commit_sha: commit_sha) }
 
+  let(:attributes) do
+    {
+      commit_sha: commit_sha,
+      project: project,
+      x509_certificate_id: x509_certificate.id,
+      verification_status: "verified"
+    }
+  end
+
   it_behaves_like 'having unique enum values'
 
   describe 'validation' do
@@ -23,15 +32,6 @@ RSpec.describe X509CommitSignature do
   end
 
   describe '.safe_create!' do
-    let(:attributes) do
-      {
-        commit_sha: commit_sha,
-        project: project,
-        x509_certificate_id: x509_certificate.id,
-        verification_status: "verified"
-      }
-    end
-
     it 'finds a signature by commit sha if it existed' do
       x509_signature
 
@@ -50,4 +50,18 @@ RSpec.describe X509CommitSignature do
       expect(signature.x509_certificate_id).to eq(x509_certificate.id)
     end
   end
+
+  describe '#user' do
+    context 'if email is assigned to a user' do
+      let!(:user) { create(:user, email: X509Helpers::User1.certificate_email) }
+
+      it 'returns user' do
+        expect(described_class.safe_create!(attributes).user).to eq(user)
+      end
+    end
+
+    it 'if email is not assigned to a user, return nil' do
+      expect(described_class.safe_create!(attributes).user).to be_nil
+    end
+  end
 end

spec/support/helpers/x509_helpers.rb

@@ -173,22 +173,155 @@ module X509Helpers
       Time.at(1561027326)
     end
 
+    def signed_tag_signature
+      <<~SIGNATURE
+        -----BEGIN SIGNED MESSAGE-----
+        MIISfwYJKoZIhvcNAQcCoIIScDCCEmwCAQExDTALBglghkgBZQMEAgEwCwYJKoZI
+        hvcNAQcBoIIP8zCCB3QwggVcoAMCAQICBBXXLOIwDQYJKoZIhvcNAQELBQAwgbYx
+        CzAJBgNVBAYTAkRFMQ8wDQYDVQQIDAZCYXllcm4xETAPBgNVBAcMCE11ZW5jaGVu
+        MRAwDgYDVQQKDAdTaWVtZW5zMREwDwYDVQQFEwhaWlpaWlpBNjEdMBsGA1UECwwU
+        U2llbWVucyBUcnVzdCBDZW50ZXIxPzA9BgNVBAMMNlNpZW1lbnMgSXNzdWluZyBD
+        QSBNZWRpdW0gU3RyZW5ndGggQXV0aGVudGljYXRpb24gMjAxNjAeFw0xNzAyMDMw
+        NjU4MzNaFw0yMDAyMDMwNjU4MzNaMFsxETAPBgNVBAUTCFowMDBOV0RIMQ4wDAYD
+        VQQqDAVSb2dlcjEOMAwGA1UEBAwFTWVpZXIxEDAOBgNVBAoMB1NpZW1lbnMxFDAS
+        BgNVBAMMC01laWVyIFJvZ2VyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
+        AQEAuBNea/68ZCnHYQjpm/k3ZBG0wBpEKSwG6lk9CEQlSxsqVLQHAoAKBIlJm1in
+        YVLcK/Sq1yhYJ/qWcY/M53DhK2rpPuhtrWJUdOUy8EBWO20F4bd4Fw9pO7jt8bme
+        u33TSrK772vKjuppzB6SeG13Cs08H+BIeD106G27h7ufsO00pvsxoSDL+uc4slnr
+        pBL+2TAL7nSFnB9QHWmRIK27SPqJE+lESdb0pse11x1wjvqKy2Q7EjL9fpqJdHzX
+        NLKHXd2r024TOORTa05DFTNR+kQEKKV96XfpYdtSBomXNQ44cisiPBJjFtYvfnFE
+        wgrHa8fogn/b0C+A+HAoICN12wIDAQABo4IC4jCCAt4wHQYDVR0OBBYEFCF+gkUp
+        XQ6xGc0kRWXuDFxzA14zMEMGA1UdEQQ8MDqgIwYKKwYBBAGCNxQCA6AVDBNyLm1l
+        aWVyQHNpZW1lbnMuY29tgRNyLm1laWVyQHNpZW1lbnMuY29tMA4GA1UdDwEB/wQE
+        AwIHgDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwgcoGA1UdHwSBwjCB
+        vzCBvKCBuaCBtoYmaHR0cDovL2NoLnNpZW1lbnMuY29tL3BraT9aWlpaWlpBNi5j
+        cmyGQWxkYXA6Ly9jbC5zaWVtZW5zLm5ldC9DTj1aWlpaWlpBNixMPVBLST9jZXJ0
+        aWZpY2F0ZVJldm9jYXRpb25MaXN0hklsZGFwOi8vY2wuc2llbWVucy5jb20vQ049
+        WlpaWlpaQTYsbz1UcnVzdGNlbnRlcj9jZXJ0aWZpY2F0ZVJldm9jYXRpb25MaXN0
+        MEUGA1UdIAQ+MDwwOgYNKwYBBAGhaQcCAgMBAzApMCcGCCsGAQUFBwIBFhtodHRw
+        Oi8vd3d3LnNpZW1lbnMuY29tL3BraS8wDAYDVR0TAQH/BAIwADAfBgNVHSMEGDAW
+        gBT4FV1HDGx3e3LEAheRaKK292oJRDCCAQQGCCsGAQUFBwEBBIH3MIH0MDIGCCsG
+        AQUFBzAChiZodHRwOi8vYWguc2llbWVucy5jb20vcGtpP1paWlpaWkE2LmNydDBB
+        BggrBgEFBQcwAoY1bGRhcDovL2FsLnNpZW1lbnMubmV0L0NOPVpaWlpaWkE2LEw9
+        UEtJP2NBQ2VydGlmaWNhdGUwSQYIKwYBBQUHMAKGPWxkYXA6Ly9hbC5zaWVtZW5z
+        LmNvbS9DTj1aWlpaWlpBNixvPVRydXN0Y2VudGVyP2NBQ2VydGlmaWNhdGUwMAYI
+        KwYBBQUHMAGGJGh0dHA6Ly9vY3NwLnBraS1zZXJ2aWNlcy5zaWVtZW5zLmNvbTAN
+        BgkqhkiG9w0BAQsFAAOCAgEAXPVcX6vaEcszJqg5IemF9aFTlwTrX5ITNIpzcqG+
+        kD5haOf2mZYLjl+MKtLC1XfmIsGCUZNb8bjP6QHQEI+2d6x/ZOqPq7Kd7PwVu6x6
+        xZrkDjUyhUbUntT5+RBy++l3Wf6Cq6Kx+K8ambHBP/bu90/p2U8KfFAG3Kr2gI2q
+        fZrnNMOxmJfZ3/sXxssgLkhbZ7hRa+MpLfQ6uFsSiat3vlawBBvTyHnoZ/7oRc8y
+        qi6QzWcd76CPpMElYWibl+hJzKbBZUWvc71AzHR6i1QeZ6wubYz7vr+FF5Y7tnxB
+        Vz6omPC9XAg0F+Dla6Zlz3Awj5imCzVXa+9SjtnsidmJdLcKzTAKyDewewoxYOOJ
+        j3cJU7VSjJPl+2fVmDBaQwcNcUcu/TPAKApkegqO7tRF9IPhjhW8QkRnkqMetO3D
+        OXmAFVIsEI0Hvb2cdb7B6jSpjGUuhaFm9TCKhQtCk2p8JCDTuaENLm1x34rrJKbT
+        2vzyYN0CZtSkUdgD4yQxK9VWXGEzexRisWb4AnZjD2NAquLPpXmw8N0UwFD7MSpC
+        dpaX7FktdvZmMXsnGiAdtLSbBgLVWOD1gmJFDjrhNbI8NOaOaNk4jrfGqNh5lhGU
+        4DnBT2U6Cie1anLmFH/oZooAEXR2o3Nu+1mNDJChnJp0ovs08aa3zZvBdcloOvfU
+        qdowggh3MIIGX6ADAgECAgQtyi/nMA0GCSqGSIb3DQEBCwUAMIGZMQswCQYDVQQG
+        EwJERTEPMA0GA1UECAwGQmF5ZXJuMREwDwYDVQQHDAhNdWVuY2hlbjEQMA4GA1UE
+        CgwHU2llbWVuczERMA8GA1UEBRMIWlpaWlpaQTExHTAbBgNVBAsMFFNpZW1lbnMg
+        VHJ1c3QgQ2VudGVyMSIwIAYDVQQDDBlTaWVtZW5zIFJvb3QgQ0EgVjMuMCAyMDE2
+        MB4XDTE2MDcyMDEzNDYxMFoXDTIyMDcyMDEzNDYxMFowgbYxCzAJBgNVBAYTAkRF
+        MQ8wDQYDVQQIDAZCYXllcm4xETAPBgNVBAcMCE11ZW5jaGVuMRAwDgYDVQQKDAdT
+        aWVtZW5zMREwDwYDVQQFEwhaWlpaWlpBNjEdMBsGA1UECwwUU2llbWVucyBUcnVz
+        dCBDZW50ZXIxPzA9BgNVBAMMNlNpZW1lbnMgSXNzdWluZyBDQSBNZWRpdW0gU3Ry
+        ZW5ndGggQXV0aGVudGljYXRpb24gMjAxNjCCAiIwDQYJKoZIhvcNAQEBBQADggIP
+        ADCCAgoCggIBAL9UfK+JAZEqVMVvECdYF9IK4KSw34AqyNl3rYP5x03dtmKaNu+2
+        0fQqNESA1NGzw3s6LmrKLh1cR991nB2cvKOXu7AvEGpSuxzIcOROd4NpvRx+Ej1p
+        JIPeqf+ScmVK7lMSO8QL/QzjHOpGV3is9sG+ZIxOW9U1ESooy4Hal6ZNs4DNItsz
+        piCKqm6G3et4r2WqCy2RRuSqvnmMza7Y8BZsLy0ZVo5teObQ37E/FxqSrbDI8nxn
+        B7nVUve5ZjrqoIGSkEOtyo11003dVO1vmWB9A0WQGDqE/q3w178hGhKfxzRaqzyi
+        SoADUYS2sD/CglGTUxVq6u0pGLLsCFjItcCWqW+T9fPYfJ2CEd5b3hvqdCn+pXjZ
+        /gdX1XAcdUF5lRnGWifaYpT9n4s4adzX8q6oHSJxTppuAwLRKH6eXALbGQ1I9lGQ
+        DSOipD/09xkEsPw6HOepmf2U3YxZK1VU2sHqugFJboeLcHMzp6E1n2ctlNG1GKE9
+        FDHmdyFzDi0Nnxtf/GgVjnHF68hByEE1MYdJ4nJLuxoT9hyjYdRW9MpeNNxxZnmz
+        W3zh7QxIqP0ZfIz6XVhzrI9uZiqwwojDiM5tEOUkQ7XyW6grNXe75yt6mTj89LlB
+        H5fOW2RNmCy/jzBXDjgyskgK7kuCvUYTuRv8ITXbBY5axFA+CpxZqokpAgMBAAGj
+        ggKmMIICojCCAQUGCCsGAQUFBwEBBIH4MIH1MEEGCCsGAQUFBzAChjVsZGFwOi8v
+        YWwuc2llbWVucy5uZXQvQ049WlpaWlpaQTEsTD1QS0k/Y0FDZXJ0aWZpY2F0ZTAy
+        BggrBgEFBQcwAoYmaHR0cDovL2FoLnNpZW1lbnMuY29tL3BraT9aWlpaWlpBMS5j
+        cnQwSgYIKwYBBQUHMAKGPmxkYXA6Ly9hbC5zaWVtZW5zLmNvbS91aWQ9WlpaWlpa
+        QTEsbz1UcnVzdGNlbnRlcj9jQUNlcnRpZmljYXRlMDAGCCsGAQUFBzABhiRodHRw
+        Oi8vb2NzcC5wa2ktc2VydmljZXMuc2llbWVucy5jb20wHwYDVR0jBBgwFoAUcG2g
+        UOyp0CxnnRkV/v0EczXD4tQwEgYDVR0TAQH/BAgwBgEB/wIBADBABgNVHSAEOTA3
+        MDUGCCsGAQQBoWkHMCkwJwYIKwYBBQUHAgEWG2h0dHA6Ly93d3cuc2llbWVucy5j
+        b20vcGtpLzCBxwYDVR0fBIG/MIG8MIG5oIG2oIGzhj9sZGFwOi8vY2wuc2llbWVu
+        cy5uZXQvQ049WlpaWlpaQTEsTD1QS0k/YXV0aG9yaXR5UmV2b2NhdGlvbkxpc3SG
+        Jmh0dHA6Ly9jaC5zaWVtZW5zLmNvbS9wa2k/WlpaWlpaQTEuY3JshkhsZGFwOi8v
+        Y2wuc2llbWVucy5jb20vdWlkPVpaWlpaWkExLG89VHJ1c3RjZW50ZXI/YXV0aG9y
+        aXR5UmV2b2NhdGlvbkxpc3QwJwYDVR0lBCAwHgYIKwYBBQUHAwIGCCsGAQUFBwME
+        BggrBgEFBQcDCTAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFPgVXUcMbHd7csQC
+        F5Foorb3aglEMA0GCSqGSIb3DQEBCwUAA4ICAQBw+sqMp3SS7DVKcILEmXbdRAg3
+        lLO1r457KY+YgCT9uX4VG5EdRKcGfWXK6VHGCi4Dos5eXFV34Mq/p8nu1sqMuoGP
+        YjHn604eWDprhGy6GrTYdxzcE/GGHkpkuE3Ir/45UcmZlOU41SJ9SNjuIVrSHMOf
+        ccSY42BCspR/Q1Z/ykmIqQecdT3/Kkx02GzzSN2+HlW6cEO4GBW5RMqsvd2n0h2d
+        fe2zcqOgkLtx7u2JCR/U77zfyxG3qXtcymoz0wgSHcsKIl+GUjITLkHfS9Op8V7C
+        Gr/dX437sIg5pVHmEAWadjkIzqdHux+EF94Z6kaHywohc1xG0KvPYPX7iSNjkvhz
+        4NY53DHmxl4YEMLffZnaS/dqyhe1GTpcpyN8WiR4KuPfxrkVDOsuzWFtMSvNdlOV
+        gdI0MXcLMP+EOeANZWX6lGgJ3vWyemo58nzgshKd24MY3w3i6masUkxJH2KvI7UH
+        /1Db3SC8oOUjInvSRej6M3ZhYWgugm6gbpUgFoDw/o9Cg6Qm71hY0JtcaPC13rzm
+        N8a2Br0+Fa5e2VhwLmAxyfe1JKzqPwuHT0S5u05SQghL5VdzqfA8FCL/j4XC9yI6
+        csZTAQi73xFQYVjZt3+aoSz84lOlTmVo/jgvGMY/JzH9I4mETGgAJRNj34Z/0meh
+        M+pKWCojNH/dgyJSwDGCAlIwggJOAgEBMIG/MIG2MQswCQYDVQQGEwJERTEPMA0G
+        A1UECAwGQmF5ZXJuMREwDwYDVQQHDAhNdWVuY2hlbjEQMA4GA1UECgwHU2llbWVu
+        czERMA8GA1UEBRMIWlpaWlpaQTYxHTAbBgNVBAsMFFNpZW1lbnMgVHJ1c3QgQ2Vu
+        dGVyMT8wPQYDVQQDDDZTaWVtZW5zIElzc3VpbmcgQ0EgTWVkaXVtIFN0cmVuZ3Ro
+        IEF1dGhlbnRpY2F0aW9uIDIwMTYCBBXXLOIwCwYJYIZIAWUDBAIBoGkwHAYJKoZI
+        hvcNAQkFMQ8XDTE5MTEyMDE0NTYyMFowLwYJKoZIhvcNAQkEMSIEIJDnZUpcVLzC
+        OdtpkH8gtxwLPIDE0NmAmFC9uM8q2z+OMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0B
+        BwEwCwYJKoZIhvcNAQEBBIIBAH/Pqv2xp3a0jSPkwU1K3eGA/1lfoNJMUny4d/PS
+        LVWlkgrmedXdLmuBzAGEaaZOJS0lEpNd01pR/reHs7xxZ+RZ0olTs2ufM0CijQSx
+        OL9HDl2O3OoD77NWx4tl3Wy1yJCeV3XH/cEI7AkKHCmKY9QMoMYWh16ORBtr+YcS
+        YK+gONOjpjgcgTJgZ3HSFgQ50xiD4WT1kFBHsuYsLqaOSbTfTN6Ayyg4edjrPQqa
+        VcVf1OQcIrfWA3yMQrnEZfOYfN/D4EPjTfxBV+VCi/F2bdZmMbJ7jNk1FbewSwWO
+        SDH1i0K32NyFbnh0BSos7njq7ELqKlYBsoB/sZfaH2vKy5U=
+        -----END SIGNED MESSAGE-----
+      SIGNATURE
+    end
+
+    def signed_tag_base_data
+      <<~SIGNEDDATA
+      object 189a6c924013fc3fe40d6f1ec1dc20214183bc97
+      type commit
+      tag v1.1.1
+      tagger Roger Meier <r.meier@siemens.com> 1574261780 +0100
+
+      x509 signed tag
+      SIGNEDDATA
+    end
+
     def certificate_crl
       'http://ch.siemens.com/pki?ZZZZZZA2.crl'
     end
 
+    def tag_certificate_crl
+      'http://ch.siemens.com/pki?ZZZZZZA6.crl'
+    end
+
     def certificate_serial
       1810356222
     end
 
+    def tag_certificate_serial
+      3664232660
+    end
+
     def certificate_subject_key_identifier
       'EC:00:B5:28:02:5C:D3:A5:A1:AB:C2:A1:34:81:84:AA:BF:9B:CF:F8'
     end
 
+    def tag_certificate_subject_key_identifier
+      '21:7E:82:45:29:5D:0E:B1:19:CD:24:45:65:EE:0C:5C:73:03:5E:33'
+    end
+
     def issuer_subject_key_identifier
       'BD:BD:2A:43:22:3D:48:4A:57:7E:98:31:17:A9:70:9D:EE:9F:A8:99'
     end
 
+    def tag_issuer_subject_key_identifier
+      'F8:15:5D:47:0C:6C:77:7B:72:C4:02:17:91:68:A2:B6:F7:6A:09:44'
+    end
+
     def certificate_email
       'r.meier@siemens.com'
     end
@@ -197,6 +330,10 @@ module X509Helpers
       'CN=Siemens Issuing CA EE Auth 2016,OU=Siemens Trust Center,serialNumber=ZZZZZZA2,O=Siemens,L=Muenchen,ST=Bayern,C=DE'
     end
 
+    def tag_certificate_issuer
+      'CN=Siemens Issuing CA Medium Strength Authentication 2016,OU=Siemens Trust Center,serialNumber=ZZZZZZA6,O=Siemens,L=Muenchen,ST=Bayern,C=DE'
+    end
+
     def certificate_subject
       'CN=Meier Roger,O=Siemens,SN=Meier,GN=Roger,serialNumber=Z000NWDH'
     end