Add signature format constants and rename SSHSignatureVendor to SSHSigSignatureVendor

Add constants for signature formats to make code more maintainable:
- SIGNATURE_FORMAT_OPENPGP
- SIGNATURE_FORMAT_X509
- SIGNATURE_FORMAT_SSH

dulwich/signature.py

@@ -26,6 +26,11 @@ from typing import TYPE_CHECKING
 if TYPE_CHECKING:
     from dulwich.config import Config
 
+# Git signature format constants
+SIGNATURE_FORMAT_OPENPGP = "openpgp"
+SIGNATURE_FORMAT_X509 = "x509"
+SIGNATURE_FORMAT_SSH = "ssh"
+
 
 class SignatureVendor:
     """A signature implementation for signing and verifying Git objects."""
@@ -325,12 +330,15 @@ class GPGCliSignatureVendor(SignatureVendor):
                 )
 
 
-class SSHSignatureVendor(SignatureVendor):
-    """Signature vendor that uses SSH keys for signing and verification.
+class SSHSigSignatureVendor(SignatureVendor):
+    """Signature vendor that uses the sshsig Python package for SSH signature verification.
+
+    Note: This vendor only supports verification, not signing. The sshsig package
+    does not provide signing functionality. For signing, use SSHCliSignatureVendor.
 
     Supports git config options:
     - gpg.ssh.allowedSignersFile: File containing allowed SSH public keys
-    - gpg.ssh.defaultKeyCommand: Command to get default SSH key
+    - gpg.ssh.defaultKeyCommand: Command to get default SSH key (currently unused)
     """
 
     def __init__(self, config: "Config | None" = None) -> None:
@@ -395,10 +403,11 @@ class SSHSignatureVendor(SignatureVendor):
           ValueError: if no allowed signers are configured or provided
           sshsig.sshsig.InvalidSignature: if signature verification fails
         """
+        from typing import Any
+
         import sshsig.allowed_signers
         import sshsig.ssh_public_key
         import sshsig.sshsig
-        from typing import Any
 
         # Determine allowed signers
         allowed_keys: list[Any] = []
@@ -639,15 +648,19 @@ def get_signature_vendor(
         if config is not None:
             try:
                 format_bytes = config.get((b"gpg",), b"format")
-                format = format_bytes.decode("utf-8") if format_bytes else "openpgp"
+                format = (
+                    format_bytes.decode("utf-8")
+                    if format_bytes
+                    else SIGNATURE_FORMAT_OPENPGP
+                )
             except KeyError:
-                format = "openpgp"
+                format = SIGNATURE_FORMAT_OPENPGP
         else:
-            format = "openpgp"
+            format = SIGNATURE_FORMAT_OPENPGP
 
     format_lower = format.lower()
 
-    if format_lower == "openpgp":
+    if format_lower == SIGNATURE_FORMAT_OPENPGP:
         # Try to use GPG package vendor first, fall back to CLI
         try:
             import gpg  # noqa: F401
@@ -655,14 +668,14 @@ def get_signature_vendor(
             return GPGSignatureVendor(config=config)
         except ImportError:
             return GPGCliSignatureVendor(config=config)
-    elif format_lower == "x509":
+    elif format_lower == SIGNATURE_FORMAT_X509:
         raise ValueError("X.509 signatures are not yet supported")
-    elif format_lower == "ssh":
+    elif format_lower == SIGNATURE_FORMAT_SSH:
         # Try to use sshsig package vendor first (verify-only), fall back to CLI
         try:
             import sshsig  # noqa: F401
 
-            return SSHSignatureVendor(config=config)
+            return SSHSigSignatureVendor(config=config)
         except ImportError:
             return SSHCliSignatureVendor(config=config)
     else:

tests/test_signature.py

@@ -31,7 +31,7 @@ from dulwich.signature import (
     GPGSignatureVendor,
     SignatureVendor,
     SSHCliSignatureVendor,
-    SSHSignatureVendor,
+    SSHSigSignatureVendor,
     get_signature_vendor,
 )
 
@@ -312,8 +312,8 @@ class GetSignatureVendorTests(unittest.TestCase):
     def test_ssh_format_supported(self) -> None:
         """Test that ssh format is now supported."""
         vendor = get_signature_vendor(format="ssh")
-        # Should be either SSHSignatureVendor or SSHCliSignatureVendor
-        self.assertIsInstance(vendor, (SSHSignatureVendor, SSHCliSignatureVendor))
+        # Should be either SSHSigSignatureVendor or SSHCliSignatureVendor
+        self.assertIsInstance(vendor, (SSHSigSignatureVendor, SSHCliSignatureVendor))
 
     def test_invalid_format(self) -> None:
         """Test that invalid format raises ValueError."""
@@ -334,23 +334,23 @@ class GetSignatureVendorTests(unittest.TestCase):
     def test_ssh_format(self) -> None:
         """Test requesting SSH format."""
         vendor = get_signature_vendor(format="ssh")
-        # Should be either SSHSignatureVendor or SSHCliSignatureVendor
-        self.assertIsInstance(vendor, (SSHSignatureVendor, SSHCliSignatureVendor))
+        # Should be either SSHSigSignatureVendor or SSHCliSignatureVendor
+        self.assertIsInstance(vendor, (SSHSigSignatureVendor, SSHCliSignatureVendor))
 
 
-class SSHSignatureVendorTests(unittest.TestCase):
-    """Tests for SSHSignatureVendor (sshsig package implementation)."""
+class SSHSigSignatureVendorTests(unittest.TestCase):
+    """Tests for SSHSigSignatureVendor (sshsig package implementation)."""
 
     def test_sign_not_supported(self) -> None:
         """Test that sign raises NotImplementedError with helpful message."""
-        vendor = SSHSignatureVendor()
+        vendor = SSHSigSignatureVendor()
         with self.assertRaises(NotImplementedError) as cm:
             vendor.sign(b"test data", keyid="dummy")
         self.assertIn("SSHCliSignatureVendor", str(cm.exception))
 
     def test_verify_without_config_raises(self) -> None:
         """Test that verify without config or keyids raises ValueError."""
-        vendor = SSHSignatureVendor()
+        vendor = SSHSigSignatureVendor()
         with self.assertRaises(ValueError) as cm:
             vendor.verify(b"test data", b"fake signature")
         self.assertIn("allowedSignersFile", str(cm.exception))
@@ -361,7 +361,7 @@ class SSHSignatureVendorTests(unittest.TestCase):
         config.set((b"gpg", b"ssh"), b"allowedSignersFile", b"/path/to/allowed")
         config.set((b"gpg", b"ssh"), b"defaultKeyCommand", b"ssh-add -L")
 
-        vendor = SSHSignatureVendor(config=config)
+        vendor = SSHSigSignatureVendor(config=config)
         self.assertEqual(vendor.allowed_signers_file, "/path/to/allowed")
         self.assertEqual(vendor.default_key_command, "ssh-add -L")
 
@@ -417,7 +417,7 @@ class SSHSignatureVendorTests(unittest.TestCase):
             pkg_config.set(
                 (b"gpg", b"ssh"), b"allowedSignersFile", allowed_signers.encode()
             )
-            pkg_vendor = SSHSignatureVendor(config=pkg_config)
+            pkg_vendor = SSHSigSignatureVendor(config=pkg_config)
 
             # This should succeed
             pkg_vendor.verify(test_data, signature)