Move signing logic to dulwich.objects.

dulwich/objects.py

@@ -866,6 +866,21 @@ class Tag(ShaFile):
 
     signature = serializable_property("signature", "Optional detached GPG signature")
 
+    def sign(self, keyid: Optional[str] = None):
+        import gpg
+        with gpg.Context(armor=True) as c:
+            if keyid is not None:
+                key = c.get_key(keyid)
+                with gpg.Context(armor=True, signers=[key]) as ctx:
+                    self.signature, unused_result = ctx.sign(
+                        self.as_raw_string(),
+                        mode=gpg.constants.sig.mode.DETACH,
+                    )
+            else:
+                self.signature, unused_result = c.sign(
+                    self.as_raw_string(), mode=gpg.constants.sig.mode.DETACH
+                )
+
 
 class TreeEntry(namedtuple("TreeEntry", ["path", "mode", "sha"])):
     """Named tuple encapsulating a single tree entry."""

dulwich/porcelain.py

@@ -958,19 +958,7 @@ def tag_create(
                 tag_timezone = parse_timezone(tag_timezone)
             tag_obj.tag_timezone = tag_timezone
             if sign:
-                import gpg
-                with gpg.Context(armor=True) as c:
-                    if isinstance(sign, str):
-                        key = c.get_key(sign)
-                        with gpg.Context(armor=True, signers=[key]) as ctx:
-                            tag_obj.signature, unused_result = ctx.sign(
-                                tag_obj.as_raw_string(),
-                                mode=gpg.constants.sig.mode.DETACH,
-                            )
-                    else:
-                        tag_obj.signature, unused_result = c.sign(
-                            tag_obj.as_raw_string(), mode=gpg.constants.sig.mode.DETACH
-                        )
+                tag_obj.sign(sign if isinstance(sign, str) else None)
 
             r.object_store.add_object(tag_obj)
             tag_id = tag_obj.id

dulwich/tests/test_porcelain.py

@@ -1129,6 +1129,7 @@ class TagCreateSignTests(PorcelainGpgTestCase):
         self.assertLess(time.time() - tag.tag_time, 5)
         # GPG Signatures aren't deterministic, so we can't do a static assertion.
         # Instead we need to check the signature can be verified by git
+        tag = self.repo[b'refs/tags/tryme']
         subprocess.run(
             ["git", "--git-dir={}".format(self.repo.controldir()), "tag", "-v", "tryme"],
             check=True,
@@ -1160,6 +1161,7 @@ class TagCreateSignTests(PorcelainGpgTestCase):
         self.assertEqual(b"foo <foo@bar.com>", tag.tagger)
         self.assertEqual(b"bar\n", tag.message)
         self.assertLess(time.time() - tag.tag_time, 5)
+        tag = self.repo[b'refs/tags/tryme']
         # GPG Signatures aren't deterministic, so we can't do a static assertion.
         # Instead we need to check the signature can be verified by git
         subprocess.run(