sigstore · k4leung4 · Sep 24, 2024 · Sep 23, 2024 · Sep 23, 2024 · Sep 23, 2024
diff --git a/.github/workflows/add-remove-new-fulcio.yaml b/.github/workflows/add-remove-new-fulcio.yaml
@@ -35,7 +35,7 @@ jobs:
           - fulcio-key-rotation
 
         go-version:
-          - 1.22.x
+          - 1.23.x
 
     env:
       GOPATH: ${{ github.workspace }}

diff --git a/.github/workflows/fulcio-rekor-kind.yaml b/.github/workflows/fulcio-rekor-kind.yaml
@@ -35,7 +35,7 @@ jobs:
           - fulcio rekor ctlog e2e
 
         go-version:
-          - 1.22.x
+          - 1.23.x
 
     env:
       GOPATH: ${{ github.workspace }}

diff --git a/.github/workflows/prober-test.yml b/.github/workflows/prober-test.yml
@@ -25,7 +25,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
         with:
-          go-version: '1.22'
+          go-version-file: 'go.mod'
           check-latest: true
 
       - name: Prober test

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -22,7 +22,7 @@ jobs:
     steps:
     - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
       with:
-        go-version: '1.22'
+        go-version-file: 'go.mod'
         check-latest: true
 
     - name: Install ko

diff --git a/.github/workflows/test-action-tuf.yaml b/.github/workflows/test-action-tuf.yaml
@@ -30,7 +30,7 @@ jobs:
         release-version:
           - "main" # Test explicitly with latest
         go-version:
-          - 1.22.x
+          - 1.23.x
         leg:
           - test github action with TUF
     env:

diff --git a/.github/workflows/test-release.yaml b/.github/workflows/test-release.yaml
@@ -30,7 +30,7 @@ jobs:
         leg:
           - fulcio rekor ctlog e2e
         go-version:
-          - 1.22.x
+          - 1.23.x
 
     env:
       RELEASE_VERSION: "v0.7.1"

diff --git a/.github/workflows/verify.yml b/.github/workflows/verify.yml
@@ -17,7 +17,7 @@ jobs:
 
       - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
         with:
-          go-version: '1.22'
+          go-version-file: 'go.mod'
           check-latest: true
           cache: true
 
@@ -46,11 +46,11 @@ jobs:
 
       - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
         with:
-          go-version: '1.22'
+          go-version-file: 'go.mod'
           check-latest: true
 
       - name: golangci-lint
         uses: golangci/golangci-lint-action@aaa42aa0628b4ae2578232a66b541047968fac86 # v6.1.0
         with:
           # Required: the version of golangci-lint is required and must be specified without patch version: we always use the latest patch version.
-          version: v1.58
+          version: v1.61
diff --git a/.golangci.yml b/.golangci.yml
@@ -43,6 +43,10 @@ issues:
       text: SA1019
   max-issues-per-linter: 0
   max-same-issues: 0
+linters-settings:
+  gosec:
+    excludes:
+      - G115  # integer overflow conversion uint64 -> int64
 run:
   issues-exit-code: 1
   timeout: 15m
diff --git a/cmd/tuf/server/main.go b/cmd/tuf/server/main.go
@@ -68,11 +68,11 @@ func getNamespaceAndClientset(noK8s bool) (string, *kubernetes.Clientset, error)
 
 	config, err := rest.InClusterConfig()
 	if err != nil {
-		return "", nil, fmt.Errorf("Failed to get InClusterConfig: %v", err)
+		return "", nil, fmt.Errorf("failed to get InClusterConfig: %w", err)
 	}
 	clientset, err := kubernetes.NewForConfig(config)
 	if err != nil {
-		return "", nil, fmt.Errorf("Failed to get clientset: %v", err)
+		return "", nil, fmt.Errorf("failed to get clientset: %w", err)
 	}
 
 	return ns, clientset, nil
@@ -84,13 +84,13 @@ func initTUFRepo(ctx context.Context, certsDir, targetDir, repoSecretName, keysS
 
 	ns, clientset, err := getNamespaceAndClientset(*noK8s)
 	if err != nil {
-		return fmt.Errorf("failed to get namespace and clientset: %v", err)
+		return fmt.Errorf("failed to get namespace and clientset: %w", err)
 	}
 
 	trimDir := strings.TrimSuffix(certsDir, "/")
 	tufFiles, err := os.ReadDir(trimDir)
 	if err != nil {
-		return fmt.Errorf("failed to read dir %s: %v", trimDir, err)
+		return fmt.Errorf("failed to read dir %s: %w", trimDir, err)
 	}
 	files := map[string][]byte{}
 	for _, file := range tufFiles {
@@ -105,7 +105,7 @@ func initTUFRepo(ctx context.Context, certsDir, targetDir, repoSecretName, keysS
 			fileName := fmt.Sprintf("%s/%s", trimDir, file.Name())
 			fileBytes, err := os.ReadFile(fileName)
 			if err != nil {
-				return fmt.Errorf("failed to read file %s: %v", fileName, err)
+				return fmt.Errorf("failed to read file %s: %w", fileName, err)
 			}
 			// If it's a TSA file, we need to split it into multiple TUF
 			// targets.
@@ -114,7 +114,7 @@ func initTUFRepo(ctx context.Context, certsDir, targetDir, repoSecretName, keysS
 
 				certFiles, err := certs.SplitCertChain(fileBytes, "tsa")
 				if err != nil {
-					return fmt.Errorf("failed to parse %s: %v", fileName, err)
+					return fmt.Errorf("failed to parse %s: %w", fileName, err)
 				}
 				for k, v := range certFiles {
 					logging.FromContext(ctx).Infof("Got tsa cert file %s", k)
@@ -130,16 +130,16 @@ func initTUFRepo(ctx context.Context, certsDir, targetDir, repoSecretName, keysS
 	// Create a new TUF root with the listed artifacts.
 	local, dir, err := repo.CreateRepoWithOptions(ctx, files, repo.CreateRepoOptions{AddMetadataTargets: *metadataTargets, AddTrustedRoot: *trustedRoot})
 	if err != nil {
-		return fmt.Errorf("failed to create repo: %v", err)
+		return fmt.Errorf("failed to create repo: %w", err)
 	}
 
 	meta, err := local.GetMeta()
 	if err != nil {
-		return fmt.Errorf("getting meta: %v", err)
+		return fmt.Errorf("getting meta: %w", err)
 	}
 	rootJSON, ok := meta["root.json"]
 	if !ok {
-		return fmt.Errorf("getting root: %v", err)
+		return fmt.Errorf("getting root: %w", err)
 	}
 
 	// Add the initial 1.root.json to secrets.
@@ -151,36 +151,36 @@ func initTUFRepo(ctx context.Context, certsDir, targetDir, repoSecretName, keysS
 	// worries here.
 	var compressed bytes.Buffer
 	if err := repo.CompressFS(os.DirFS(dir), &compressed, map[string]bool{"keys": true, "staged": true}); err != nil {
-		return fmt.Errorf("failed to compress the repo: %v", err)
+		return fmt.Errorf("failed to compress the repo: %w", err)
 	}
 	data["repository"] = compressed.Bytes()
 
 	if !*noK8s {
 		nsSecret := clientset.CoreV1().Secrets(ns)
 		if err := secret.ReconcileSecret(ctx, repoSecretName, ns, data, nsSecret); err != nil {
-			return fmt.Errorf("failed to reconcile secret %s/%s: %v", ns, repoSecretName, err)
+			return fmt.Errorf("failed to reconcile secret %s/%s: %w", ns, repoSecretName, err)
 		}
 
 		// If we should also store created keys in a secret, read all their files and save them in the secret
 		if keysSecretName != "" {
 			keyFiles, err := os.ReadDir(filepath.Join(dir, "keys"))
 			if err != nil {
-				return fmt.Errorf("failed to list keys directory %v", err)
+				return fmt.Errorf("failed to list keys directory %w", err)
 			}
 			dataKeys := map[string][]byte{}
 			for _, keyFile := range keyFiles {
 				if !strings.HasSuffix(keyFile.Name(), ".json") {
 					continue
 				}
-				keyFilePath := filepath.Join(filepath.Join(dir, "keys", keyFile.Name()))
+				keyFilePath := filepath.Join(dir, "keys", keyFile.Name())
 				content, err := os.ReadFile(keyFilePath)
 				if err != nil {
-					return fmt.Errorf("failed reading file %s: %v", keyFilePath, err)
+					return fmt.Errorf("failed reading file %s: %w", keyFilePath, err)
 				}
 				dataKeys[keyFile.Name()] = content
 			}
 			if err := secret.ReconcileSecret(ctx, keysSecretName, ns, dataKeys, nsSecret); err != nil {
-				return fmt.Errorf("failed to reconcile keys secret %s/%s: %v", ns, keysSecretName, err)
+				return fmt.Errorf("failed to reconcile keys secret %s/%s: %w", ns, keysSecretName, err)
 			}
 		}
 	}
@@ -189,8 +189,7 @@ func initTUFRepo(ctx context.Context, certsDir, targetDir, repoSecretName, keysS
 
 	// Copy repository to the targetDir - until Go 1.23 which has os.CopyFS, we use
 	// a quick hack where we uncompress the compressed repository to the targetDir
-	repo.Uncompress(bytes.NewReader(data["repository"]), targetDir)
-	return nil
+	return repo.Uncompress(bytes.NewReader(data["repository"]), targetDir)
 }
 
 func main() {

diff --git a/go.mod b/go.mod
@@ -1,11 +1,12 @@
 module github.com/sigstore/scaffolding
 
-go 1.22.6
+go 1.23.1
 
 require (
 	chainguard.dev/exitdir v0.0.1
+	filippo.io/edwards25519 v1.1.0
 	github.com/cenkalti/backoff/v3 v3.2.2
-	github.com/go-jose/go-jose/v3 v3.0.3
+	github.com/go-jose/go-jose/v4 v4.0.4
 	github.com/go-openapi/strfmt v0.23.0
 	github.com/go-openapi/swag v0.23.0
 	github.com/go-sql-driver/mysql v1.8.1
@@ -45,7 +46,6 @@ require (
 	google.golang.org/genproto v0.0.0-20240823204242-4ba0660f739c
 	google.golang.org/grpc v1.66.2
 	google.golang.org/protobuf v1.34.2
-	gopkg.in/square/go-jose.v2 v2.6.0
 	gopkg.in/yaml.v3 v3.0.1
 	k8s.io/api v0.31.1
 	k8s.io/apimachinery v0.31.1
@@ -70,7 +70,6 @@ require (
 	cloud.google.com/go/spanner v1.67.0 // indirect
 	cloud.google.com/go/trace v1.10.12 // indirect
 	contrib.go.opencensus.io/exporter/stackdriver v0.13.14 // indirect
-	filippo.io/edwards25519 v1.1.0 // indirect
 	github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/alibabacloudsdkgo/helper v0.2.0 // indirect
 	github.com/Azure/azure-sdk-for-go v68.0.0+incompatible // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.13.0 // indirect
@@ -156,7 +155,7 @@ require (
 	github.com/fsnotify/fsnotify v1.7.0 // indirect
 	github.com/fxamacker/cbor/v2 v2.7.0 // indirect
 	github.com/go-chi/chi v4.1.2+incompatible // indirect
-	github.com/go-jose/go-jose/v4 v4.0.4 // indirect
+	github.com/go-jose/go-jose/v3 v3.0.3 // indirect
 	github.com/go-logr/logr v1.4.2 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-openapi/analysis v0.23.0 // indirect

diff --git a/go.sum b/go.sum
@@ -2392,8 +2392,6 @@ gopkg.in/ini.v1 v1.67.0 h1:Dgnx+6+nfE+IfzjUEISNeydPJh9AXNNsWbGP9KzCsOA=
 gopkg.in/ini.v1 v1.67.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
 gopkg.in/natefinch/lumberjack.v2 v2.2.1 h1:bBRl1b0OH9s/DuPhuXpNl+VtCaJXFZ5/uEFST95x9zc=
 gopkg.in/natefinch/lumberjack.v2 v2.2.1/go.mod h1:YD8tP3GAjkrDg1eZH7EGmyESg/lsYskCTPBJVb9jqSc=
-gopkg.in/square/go-jose.v2 v2.6.0 h1:NGk74WTnPKBNUhNzQX7PYcTLUjoq7mzKk2OKbvwk2iI=
-gopkg.in/square/go-jose.v2 v2.6.0/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=
 gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ=
 gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=

diff --git a/pkg/repo/repo.go b/pkg/repo/repo.go
@@ -388,7 +388,7 @@ func certChainToCertificateAuthority(certChainPem []byte) (*root.CertificateAuth
 }
 
 func concatCertChain(leaf []byte, intermediate [][]byte, root []byte) []byte {
-	var result []byte
+	result := []byte{}
 	if len(leaf) > 0 {
 		// for Fulcio, the leaf will always be empty, don't necessarily append an empty newline
 		result = append(result, leaf...)

diff --git a/pkg/repo/repo_test.go b/pkg/repo/repo_test.go
@@ -217,6 +217,7 @@ func TestCompressUncompressFS(t *testing.T) {
 	if err = CompressFS(fsys, &buf, map[string]bool{"keys": true, "staged": true}); err != nil {
 		t.Fatalf("Failed to compress: %v", err)
 	}
+	// #nosec G306 -- test
 	if err := os.WriteFile(filepath.Join(t.TempDir(), "newcompressed"), buf.Bytes(), os.ModePerm); err != nil {
 		t.Fatalf("Failed to write compressed output")
 	}

diff --git a/...ICENSE/gopkg.in/square/go-jose.v2/LICENSE → ...-LICENSE/cloud.google.com/go/auth/LICENSE b/...ICENSE/gopkg.in/square/go-jose.v2/LICENSE → ...-LICENSE/cloud.google.com/go/auth/LICENSE