sigstore · bobcallaway · Oct 29, 2023 · Oct 27, 2023 · Oct 27, 2023 · Oct 27, 2023
diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml
@@ -113,7 +113,7 @@ jobs:
       - name: setup kind cluster
         run: |
           # Used to test: cosign generate-key-pair k8s://...
-          go install sigs.k8s.io/kind@v0.17.0
+          go install sigs.k8s.io/kind@v0.20.0
           kind create cluster
 
       - name: Run end-to-end tests
@@ -178,5 +178,5 @@ jobs:
         uses: golangci/golangci-lint-action@3a919529898de77ec3da873e3063ca4b10e7f5cc # v3.7.0
         with:
           # Required: the version of golangci-lint is required and must be specified without patch version: we always use the latest patch version.
-          version: v1.54
+          version: v1.55
           args: --timeout=5m
diff --git a/go.mod b/go.mod
diff --git a/go.sum b/go.sum
diff --git a/internal/pkg/cosign/tsa/mock/mock_tsa_client.go b/internal/pkg/cosign/tsa/mock/mock_tsa_client.go
@@ -117,5 +117,5 @@ func (c *TSAClient) GetTimestampResponse(tsq []byte) ([]byte, error) {
 		tsStruct.Time = c.Time
 	}
 
-	return tsStruct.CreateResponse(c.CertChain[0], c.Signer)
+	return tsStruct.CreateResponseWithOpts(c.CertChain[0], c.Signer, crypto.SHA256)
 }
diff --git a/pkg/cosign/keys_test.go b/pkg/cosign/keys_test.go
@@ -376,12 +376,12 @@ func TestImportPrivateKey(t *testing.T) {
 		{
 			fileName: "invalidrsasmallkey.key",
 			pemData:  invalidrsasmallkey,
-			expected: errors.New("error validating rsa key: key too small: 1024"),
+			expected: errors.New("error validating rsa key: key size not supported: 1024"),
 		},
 		{
 			fileName: "invalidrsalargekey.key",
 			pemData:  invalidrsalargekey,
-			expected: errors.New("error validating rsa key: key too large: 5120 > 4096"),
+			expected: errors.New("error validating rsa key: key size not supported: 5120"),
 		},
 		// EC tests
 		{

diff --git a/pkg/cosign/kubernetes/secret.go b/pkg/cosign/kubernetes/secret.go
@@ -21,11 +21,10 @@ import (
 	"os"
 	"strings"
 
-	"k8s.io/utils/pointer"
-
 	v1 "k8s.io/api/core/v1"
 	k8serrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/utils/ptr"
 
 	"github.com/sigstore/cosign/v2/pkg/cosign"
 )
@@ -120,7 +119,7 @@ func secret(keys *cosign.KeysBytes, namespace, name string, data map[string][]by
 		return &v1.Secret{
 			ObjectMeta: obj,
 			Data:       data,
-			Immutable:  pointer.Bool(true),
+			Immutable:  ptr.To[bool](true),
 		}
 	}
 

diff --git a/pkg/cosign/kubernetes/secret_test.go b/pkg/cosign/kubernetes/secret_test.go
@@ -18,10 +18,9 @@ import (
 	"reflect"
 	"testing"
 
-	"k8s.io/utils/pointer"
-
 	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/utils/ptr"
 
 	"github.com/sigstore/cosign/v2/pkg/cosign"
 )
@@ -43,7 +42,7 @@ func TestSecret(t *testing.T) {
 			"cosign.pub":      []byte("public"),
 			"cosign.password": nil,
 		},
-		Immutable: pointer.Bool(true),
+		Immutable: ptr.To[bool](true),
 	}
 	actual := secret(keys, namespace, name, nil, true)
 	if !reflect.DeepEqual(actual, expect) {

diff --git a/pkg/oci/mutate/mutate.go b/pkg/oci/mutate/mutate.go
@@ -96,13 +96,16 @@ func (i *indexWrapper) SignedImage(h v1.Hash) (oci.SignedImage, error) {
 			return si, nil
 		}
 	}
+
 	if sb, ok := i.ogbase.(oci.SignedImageIndex); ok {
 		return sb.SignedImage(h)
-	} else if unsigned, err := i.Image(h); err != nil {
+	}
+
+	unsigned, err := i.Image(h)
+	if err != nil {
 		return nil, err
-	} else {
-		return signed.Image(unsigned), nil
 	}
+	return signed.Image(unsigned), nil
 }
 
 // SignedImageIndex implements oci.SignedImageIndex
@@ -118,13 +121,16 @@ func (i *indexWrapper) SignedImageIndex(h v1.Hash) (oci.SignedImageIndex, error)
 			return sii, nil
 		}
 	}
+
 	if sb, ok := i.ogbase.(oci.SignedImageIndex); ok {
 		return sb.SignedImageIndex(h)
-	} else if unsigned, err := i.ImageIndex(h); err != nil {
+	}
+
+	unsigned, err := i.ImageIndex(h)
+	if err != nil {
 		return nil, err
-	} else {
-		return signed.ImageIndex(unsigned), nil
 	}
+	return signed.ImageIndex(unsigned), nil
 }
 
 // AttachSignatureToEntity attaches the provided signature to the provided entity.

diff --git a/test/e2e_test.go b/test/e2e_test.go
@@ -753,7 +753,8 @@ func TestAttestationReplace(t *testing.T) {
 func TestAttestationRFC3161Timestamp(t *testing.T) {
 	// TSA server needed to create timestamp
 	viper.Set("timestamp-signer", "memory")
-	apiServer := server.NewRestAPIServer("localhost", 0, []string{"http"}, 10*time.Second, 10*time.Second)
+	viper.Set("timestamp-signer-hash", "sha256")
+	apiServer := server.NewRestAPIServer("localhost", 0, []string{"http"}, false, 10*time.Second, 10*time.Second)
 	server := httptest.NewServer(apiServer.GetHandler())
 	t.Cleanup(server.Close)
 
@@ -843,7 +844,8 @@ func TestAttachWithRFC3161Timestamp(t *testing.T) {
 	ctx := context.Background()
 	// TSA server needed to create timestamp
 	viper.Set("timestamp-signer", "memory")
-	apiServer := server.NewRestAPIServer("localhost", 0, []string{"http"}, 10*time.Second, 10*time.Second)
+	viper.Set("timestamp-signer-hash", "sha256")
+	apiServer := server.NewRestAPIServer("localhost", 0, []string{"http"}, false, 10*time.Second, 10*time.Second)
 	server := httptest.NewServer(apiServer.GetHandler())
 	t.Cleanup(server.Close)
 
@@ -1099,7 +1101,8 @@ func TestFulcioBundle(t *testing.T) {
 func TestRFC3161Timestamp(t *testing.T) {
 	// TSA server needed to create timestamp
 	viper.Set("timestamp-signer", "memory")
-	apiServer := server.NewRestAPIServer("localhost", 0, []string{"http"}, 10*time.Second, 10*time.Second)
+	viper.Set("timestamp-signer-hash", "sha256")
+	apiServer := server.NewRestAPIServer("localhost", 0, []string{"http"}, false, 10*time.Second, 10*time.Second)
 	server := httptest.NewServer(apiServer.GetHandler())
 	t.Cleanup(server.Close)
 
@@ -1153,7 +1156,8 @@ func TestRFC3161Timestamp(t *testing.T) {
 func TestRekorBundleAndRFC3161Timestamp(t *testing.T) {
 	// TSA server needed to create timestamp
 	viper.Set("timestamp-signer", "memory")
-	apiServer := server.NewRestAPIServer("localhost", 0, []string{"http"}, 10*time.Second, 10*time.Second)
+	viper.Set("timestamp-signer-hash", "sha256")
+	apiServer := server.NewRestAPIServer("localhost", 0, []string{"http"}, false, 10*time.Second, 10*time.Second)
 	server := httptest.NewServer(apiServer.GetHandler())
 	t.Cleanup(server.Close)
 
@@ -1460,7 +1464,8 @@ func TestSignBlobBundle(t *testing.T) {
 func TestSignBlobRFC3161TimestampBundle(t *testing.T) {
 	// TSA server needed to create timestamp
 	viper.Set("timestamp-signer", "memory")
-	apiServer := server.NewRestAPIServer("localhost", 0, []string{"http"}, 10*time.Second, 10*time.Second)
+	viper.Set("timestamp-signer-hash", "sha256")
+	apiServer := server.NewRestAPIServer("localhost", 0, []string{"http"}, false, 10*time.Second, 10*time.Second)
 	server := httptest.NewServer(apiServer.GetHandler())
 	t.Cleanup(server.Close)