Fix 404 on Commit Signature API when using Rugged

app/models/commit.rb

@@ -335,7 +335,11 @@ class Commit
     strong_memoize(:raw_signature_type) do
       next unless @raw.instance_of?(Gitlab::Git::Commit)
 
-      @raw.raw_commit.signature_type if defined? @raw.raw_commit.signature_type
+      if raw_commit_from_rugged? && gpg_commit.signature_text.present?
+        :PGP
+      elsif defined? @raw.raw_commit.signature_type
+        @raw.raw_commit.signature_type
+      end
     end
   end
 
@@ -347,7 +351,7 @@ class Commit
     strong_memoize(:signature) do
       case signature_type
       when :PGP
-        Gitlab::Gpg::Commit.new(self).signature
+        gpg_commit.signature
       when :X509
         Gitlab::X509::Commit.new(self).signature
       else
@@ -356,6 +360,14 @@ class Commit
     end
   end
 
+  def raw_commit_from_rugged?
+    @raw.raw_commit.is_a?(Rugged::Commit)
+  end
+
+  def gpg_commit
+    @gpg_commit ||= Gitlab::Gpg::Commit.new(self)
+  end
+
   def revert_branch_name
     "revert-#{short_id}"
   end

changelogs/unreleased/211357-api-endpoint-to-get-the-gpg-signature-of-a-commit-always-returns-4.yml

+---
+title: Fix 404 error from Commit Signature API when using Rugged
+merge_request: 46736
+author:
+type: fixed

doc/api/commits.md

@@ -842,7 +842,8 @@ Example response if commit is GPG signed:
   "gpg_key_primary_keyid": "8254AAB3FBD54AC9",
   "gpg_key_user_name": "John Doe",
   "gpg_key_user_email": "johndoe@example.com",
-  "gpg_key_subkey_id": null
+  "gpg_key_subkey_id": null,
+  "commit_source": "gitaly"
 }
 ```
 
@@ -865,7 +866,8 @@ Example response if commit is X.509 signed:
       "subject_key_identifier": "AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB",
       "crl_url": "http://example.com/pki.crl"
     }
-  }
+  },
+  "commit_source": "gitaly"
 }
 ```
 

lib/api/entities/commit_signature.rb

@@ -4,13 +4,28 @@ module API
   module Entities
     class CommitSignature < Grape::Entity
       expose :signature_type
+
       expose :signature, merge: true do |commit, options|
-        if commit.signature.is_a?(GpgSignature)
-          ::API::Entities::GpgCommitSignature.represent commit.signature, options
+        if commit.signature.is_a?(GpgSignature) || commit.raw_commit_from_rugged?
+          ::API::Entities::GpgCommitSignature.represent commit_signature(commit), options
         elsif commit.signature.is_a?(X509CommitSignature)
           ::API::Entities::X509Signature.represent commit.signature, options
         end
       end
+
+      expose :commit_source do |commit, _|
+        commit.raw_commit_from_rugged? ? "rugged" : "gitaly"
+      end
+
+      private
+
+      def commit_signature(commit)
+        if commit.raw_commit_from_rugged?
+          commit.gpg_commit.signature
+        else
+          commit.signature
+        end
+      end
     end
   end
 end

scripts/lint-rugged

@@ -18,6 +18,11 @@ ALLOWED = [
   # Needed to detect Rugged enabled: https://gitlab.com/gitlab-org/gitlab/issues/35371
   'lib/gitlab/config_checker/puma_rugged_checker.rb',
 
+  # Needed for GPG/X509 commit signature API
+  #
+  'app/models/commit.rb',
+  'lib/api/entities/commit_signature.rb',
+
   # Needed for logging
   'config/initializers/peek.rb',
   'config/initializers/lograge.rb',

spec/requests/api/commits_spec.rb

@@ -1991,6 +1991,17 @@ RSpec.describe API::Commits do
         expect(json_response['x509_certificate']['x509_issuer']['subject']).to eq(commit.signature.x509_certificate.x509_issuer.subject)
         expect(json_response['x509_certificate']['x509_issuer']['subject_key_identifier']).to eq(commit.signature.x509_certificate.x509_issuer.subject_key_identifier)
         expect(json_response['x509_certificate']['x509_issuer']['crl_url']).to eq(commit.signature.x509_certificate.x509_issuer.crl_url)
+        expect(json_response['commit_source']).to eq('gitaly')
+      end
+
+      context 'with Rugged enabled', :enable_rugged do
+        it 'returns correct JSON' do
+          get api(route, current_user)
+
+          expect(response).to have_gitlab_http_status(:ok)
+          expect(json_response['signature_type']).to eq('PGP')
+          expect(json_response['commit_source']).to eq('rugged')
+        end
       end
     end
   end