From cc204207142abaf12f0b7684f8cce50c54abc23f Mon Sep 17 00:00:00 2001 From: Carlos Tadeu Panato Junior Date: Mon, 16 May 2022 13:49:07 +0200 Subject: [PATCH] Some updates on CI, add new jobs and dependabot config (#29) * use git hashes instead of git tag * add dependabot * add verify and validate gorelease jobs * add copyright boilerplate * fix lints Signed-off-by: cpanato --- .github/dependabot.yml | 12 ++++++++ .github/workflows/ci.yaml | 9 +++--- .github/workflows/e2e.yaml | 9 +++--- .github/workflows/release.yml | 16 ++++++---- .github/workflows/validate-release.yml | 35 ++++++++++++++++++++++ .github/workflows/verify.yml | 41 ++++++++++++++++++++++++++ .golangci.yml | 36 ++++++++++++++++++++++ Makefile | 4 +++ command_sign.go | 18 ++++++++++- command_verify.go | 18 ++++++++++- internal/fulcio/fulcio.go | 9 +++--- internal/git/git.go | 34 ++++++++++++++------- internal/rekor/rekor.go | 16 ++++++++++ internal/signature/sign.go | 21 +++++++++++-- internal/signature/signature_test.go | 15 ++++++++++ internal/signature/verify.go | 19 ++++++++++-- internal/utils.go | 19 ++++++++++-- main.go | 35 +++++++++++++++++----- status.go | 24 ++++++++++++--- 19 files changed, 341 insertions(+), 49 deletions(-) create mode 100644 .github/dependabot.yml create mode 100644 .github/workflows/validate-release.yml create mode 100644 .github/workflows/verify.yml create mode 100644 .golangci.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 00000000..c023415a --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,12 @@ +version: 2 +updates: +- package-ecosystem: gomod + directory: "/" + schedule: + interval: weekly + open-pull-requests-limit: 10 +- package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: weekly + open-pull-requests-limit: 10 diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 22b9e215..bde19ef1 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -12,15 +12,16 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v3.0.2 - name: Set up Go - uses: actions/setup-go@v3 + uses: actions/setup-go@fcdc43634adb5f7ae75a9d7a9b9361790f7293e2 # v3.1.0 with: go-version: 1.18 + check-latest: true - name: Build - run: go build -v ./... + run: make build - name: Unit Tests - run: go test -v ./... + run: make unit-test diff --git a/.github/workflows/e2e.yaml b/.github/workflows/e2e.yaml index 202f5409..7912c85b 100644 --- a/.github/workflows/e2e.yaml +++ b/.github/workflows/e2e.yaml @@ -14,7 +14,7 @@ jobs: id-token: write # Enable OIDC # The rest of these are sanity-check settings, since I'm not sure if the - # org default is permissive or restricted. + # org default is permissive or restricted. # See https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token # for more details. actions: none @@ -34,13 +34,14 @@ jobs: GITSIGN_LOG: "/tmp/gitsign.log" steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v3.0.2 - name: Set up Go - uses: actions/setup-go@v3 + uses: actions/setup-go@fcdc43634adb5f7ae75a9d7a9b9361790f7293e2 # v3.1.0 with: go-version: 1.18 - + check-latest: true + - name: Test Sign and Verify commit run: | set -e diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 19d7d225..fcab0a03 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -14,21 +14,25 @@ jobs: release: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v3.0.2 with: fetch-depth: 0 # this is important, otherwise it won't checkout the full tree (i.e. no previous tags) - - uses: actions/setup-go@v3 + + - uses: actions/setup-go@fcdc43634adb5f7ae75a9d7a9b9361790f7293e2 # v3.1.0 with: go-version: 1.18 - - uses: actions/cache@v3 + check-latest: true + + - uses: actions/cache@48af2dc4a9e8278b89d7fa154b955c30c6aaab09 # v3.0.2 with: path: ~/go/pkg/mod key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} restore-keys: | ${{ runner.os }}-go- - - uses: sigstore/cosign-installer@v2.3.0 # installs cosign - - uses: anchore/sbom-action/download-syft@v0.11.0 # installs syft - - uses: goreleaser/goreleaser-action@v2 # run goreleaser + + - uses: sigstore/cosign-installer@536b37ec5d5b543420bdfd9b744c5965bd4d8730 # v2.3.0 + - uses: anchore/sbom-action/download-syft@bb716408e75840bbb01e839347cd213767269d4a # v0.11.0 + - uses: goreleaser/goreleaser-action@b953231f81b8dfd023c58e0854a721e35037f28b # v29.1 with: version: latest args: release --rm-dist diff --git a/.github/workflows/validate-release.yml b/.github/workflows/validate-release.yml new file mode 100644 index 00000000..b1e97e8e --- /dev/null +++ b/.github/workflows/validate-release.yml @@ -0,0 +1,35 @@ +name: validate-release + +on: + push: + branches: ['main'] + pull_request: + branches: ['main'] + workflow_dispatch: + +jobs: + validate-release: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v3.0.2 + + - uses: actions/setup-go@fcdc43634adb5f7ae75a9d7a9b9361790f7293e2 # v3.1.0 + with: + go-version: 1.18 + check-latest: true + + - uses: actions/cache@48af2dc4a9e8278b89d7fa154b955c30c6aaab09 # v3.0.2 + with: + path: ~/go/pkg/mod + key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} + restore-keys: | + ${{ runner.os }}-go- + + - uses: sigstore/cosign-installer@536b37ec5d5b543420bdfd9b744c5965bd4d8730 # v2.3.0 + - uses: anchore/sbom-action/download-syft@bb716408e75840bbb01e839347cd213767269d4a # v0.11.0 + - uses: goreleaser/goreleaser-action@b953231f81b8dfd023c58e0854a721e35037f28b # v29.1 + with: + version: latest + args: release --rm-dist --snapshot --skip-sign + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/verify.yml b/.github/workflows/verify.yml new file mode 100644 index 00000000..1fd3b0b2 --- /dev/null +++ b/.github/workflows/verify.yml @@ -0,0 +1,41 @@ +name: Verify + +on: + push: + pull_request: + +permissions: + contents: read + +jobs: + license-check: + name: license boilerplate check + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v3.0.2 + - uses: actions/setup-go@fcdc43634adb5f7ae75a9d7a9b9361790f7293e2 # v3.1.0 + with: + go-version: 1.18 + check-latest: true + - name: Install addlicense + run: go install github.com/google/addlicense@v1.0.0 + - name: Check license headers + run: | + set -e + addlicense -l apache -c 'The Sigstore Authors' -v -ignore *.yml -ignore *.yaml * + git diff --exit-code + + golangci: + name: lint + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v3.0.2 + - uses: actions/setup-go@fcdc43634adb5f7ae75a9d7a9b9361790f7293e2 # v3.1.0 + with: + go-version: 1.18 + check-latest: true + - name: golangci-lint + uses: golangci/golangci-lint-action@537aa1903e5d359d0b27dbc19ddd22c5087f3fbc # v3.2.0 + timeout-minutes: 5 + with: + version: v1.46.0 diff --git a/.golangci.yml b/.golangci.yml new file mode 100644 index 00000000..0392f895 --- /dev/null +++ b/.golangci.yml @@ -0,0 +1,36 @@ +linters: + enable: + - asciicheck + - deadcode + - depguard + - errcheck + - errorlint + - gofmt + - goimports + - gosec + - gocritic + - importas + - prealloc + - revive + - misspell + - stylecheck + - tparallel + - unconvert + - unparam + - whitespace +output: + uniq-by-line: false +issues: + exclude-rules: + - path: _test\.go + linters: + - errcheck + - gosec + - text: "SA1019: package golang.org/x/crypto/openpgp" + linters: + - staticcheck + max-issues-per-linter: 0 + max-same-issues: 0 +run: + issues-exit-code: 1 + timeout: 10m diff --git a/Makefile b/Makefile index 6b084da2..04ae6c63 100644 --- a/Makefile +++ b/Makefile @@ -22,3 +22,7 @@ build: .PHONY: install install: CGO_ENABLED=0 go install -trimpath -ldflags "$(LDFLAGS)" github.com/sigstore/gitsign + +.PHONY: unit-test +unit-test: + go test -v ./... diff --git a/command_sign.go b/command_sign.go index db2c8dc0..2e793f75 100644 --- a/command_sign.go +++ b/command_sign.go @@ -1,3 +1,18 @@ +// +// Copyright 2022 The Sigstore Authors. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + package main import ( @@ -7,6 +22,7 @@ import ( "os" "github.com/pkg/errors" + "github.com/sigstore/gitsign/internal/fulcio" "github.com/sigstore/gitsign/internal/git" "github.com/sigstore/gitsign/internal/signature" @@ -20,7 +36,7 @@ func commandSign() error { } // Git is looking for "\n[GNUPG:] SIG_CREATED ", meaning we need to print a - // line before SIG_CREATED. BEGIN_SIGNING seems appropraite. GPG emits this, + // line before SIG_CREATED. BEGIN_SIGNING seems appropriate. GPG emits this, // though GPGSM does not. sBeginSigning.emit() diff --git a/command_verify.go b/command_verify.go index 7ba85e70..6d4a31ef 100644 --- a/command_verify.go +++ b/command_verify.go @@ -1,3 +1,18 @@ +// +// Copyright 2022 The Sigstore Authors. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + package main import ( @@ -9,6 +24,7 @@ import ( "os" "github.com/pkg/errors" + "github.com/sigstore/cosign/cmd/cosign/cli/fulcio/fulcioroots" "github.com/sigstore/gitsign/internal" "github.com/sigstore/gitsign/internal/git" @@ -95,7 +111,7 @@ func verifyDetached() error { f = stdin } else { if f, err = os.Open(fileArgs[1]); err != nil { - errors.Wrapf(err, "failed to open message file (%s)", fileArgs[1]) + return errors.Wrapf(err, "failed to open message file (%s)", fileArgs[1]) } defer f.Close() } diff --git a/internal/fulcio/fulcio.go b/internal/fulcio/fulcio.go index cbe95814..dfcfd1d5 100644 --- a/internal/fulcio/fulcio.go +++ b/internal/fulcio/fulcio.go @@ -1,10 +1,11 @@ -// Copyright 2022 Billy Lynch +// +// Copyright 2022 The Sigstore Authors. // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // -// http://www.apache.org/licenses/LICENSE-2.0 +// http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, @@ -96,7 +97,6 @@ func (i *Identity) CertificateChain() ([]*x509.Certificate, error) { } return append([]*x509.Certificate{cert}, chain...), nil - } // Signer gets a crypto.Signer that uses the identity's private key. @@ -105,6 +105,7 @@ func (i *Identity) Signer() (crypto.Signer, error) { if !ok { return nil, fmt.Errorf("could not use signer %T as crypto.Signer", i.sv.SignerVerifier) } + return s, nil } @@ -116,7 +117,7 @@ func (i *Identity) Delete() error { // Close any manually managed memory held by the Identity. func (i *Identity) Close() { - return + // noop } func (i *Identity) PublicKey() (crypto.PublicKey, error) { diff --git a/internal/git/git.go b/internal/git/git.go index 6018a16d..717e65d5 100644 --- a/internal/git/git.go +++ b/internal/git/git.go @@ -1,3 +1,18 @@ +// +// Copyright 2022 The Sigstore Authors. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + package git import ( @@ -10,6 +25,7 @@ import ( "github.com/go-git/go-git/v5/plumbing" "github.com/go-git/go-git/v5/plumbing/object" "github.com/pkg/errors" + "github.com/sigstore/cosign/cmd/cosign/cli/fulcio/fulcioroots" "github.com/sigstore/gitsign/internal/fulcio" "github.com/sigstore/gitsign/internal/rekor" @@ -17,6 +33,8 @@ import ( "github.com/sigstore/rekor/pkg/generated/models" ) +const rekorDefaultURL = "https://rekor.sigstore.dev" + func Sign(ctx context.Context, ident *fulcio.Identity, data []byte, opts signature.SignOptions) ([]byte, *x509.Certificate, error) { sig, cert, err := signature.Sign(ident, data, opts) if err != nil { @@ -29,7 +47,7 @@ func Sign(ctx context.Context, ident *fulcio.Identity, data []byte, opts signatu // using the same key, this is probably okay? e.g. even if you could cause a SHA1 collision, // you would still need the underlying commit to be valid and using the same key which seems hard. - rekor, err := rekor.New("https://rekor.sigstore.dev") + rekor, err := rekor.New(rekorDefaultURL) if err != nil { return nil, nil, errors.Wrap(err, "error creating rekor client") } @@ -97,15 +115,14 @@ func Verify(ctx context.Context, data, sig []byte) (*VerificationSummary, error) // Parse signature sd, err := cms.ParseSignedData(der) if err != nil { - claims = append(claims, NewClaim(ClaimParsedSignature, false)) return nil, errors.Wrap(err, "failed to parse signature") } + claims = append(claims, NewClaim(ClaimParsedSignature, true)) // Generate verification options. certs, err := sd.GetCertificates() if err != nil { - claims = append(claims, NewClaim(ClaimValidatedSignature, false)) return nil, errors.Wrap(err, "error getting signature certs") } opts := x509.VerifyOptions{ @@ -118,33 +135,29 @@ func Verify(ctx context.Context, data, sig []byte) (*VerificationSummary, error) _, err = sd.VerifyDetached(data, opts) if err != nil { - claims = append(claims, NewClaim(ClaimValidatedSignature, false)) return nil, errors.Wrap(err, "failed to verify signature") } claims = append(claims, NewClaim(ClaimValidatedSignature, true)) commit, err := commitHash(data, sig) if err != nil { - claims = append(claims, NewClaim(ClaimLocatedRekorEntry, false)) return nil, err } rekor, err := rekor.New("https://rekor.sigstore.dev") if err != nil { - claims = append(claims, NewClaim(ClaimLocatedRekorEntry, false)) return nil, err } tlog, err := rekor.Get(ctx, commit, certs[0]) if err != nil { - claims = append(claims, NewClaim(ClaimLocatedRekorEntry, false)) return nil, errors.Wrap(err, "failed to locate rekor entry") } claims = append(claims, NewClaim(ClaimLocatedRekorEntry, true)) if err := rekor.Verify(ctx, tlog); err != nil { - claims = append(claims, NewClaim(ClaimValidatedRekorEntry, true)) return nil, errors.Wrap(err, "failed to validate rekor entry") } + claims = append(claims, NewClaim(ClaimValidatedRekorEntry, true)) return &VerificationSummary{ @@ -157,13 +170,13 @@ func Verify(ctx context.Context, data, sig []byte) (*VerificationSummary, error) func commitHash(data, sig []byte) (string, error) { // Precompute commit hash to store in tlog obj := &plumbing.MemoryObject{} - obj.Write(data) + _, _ = obj.Write(data) obj.SetType(plumbing.CommitObject) // go-git will compute a hash on decode and preserve that. To work around this, // decode into one object then copy everything but the commit into a separate object. base := object.Commit{} - base.Decode(obj) + _ = base.Decode(obj) c := object.Commit{ Author: base.Author, Committer: base.Committer, @@ -174,5 +187,6 @@ func commitHash(data, sig []byte) (string, error) { } out := &plumbing.MemoryObject{} err := c.Encode(out) + return out.Hash().String(), err } diff --git a/internal/rekor/rekor.go b/internal/rekor/rekor.go index dc0a8ed2..c2d212e2 100644 --- a/internal/rekor/rekor.go +++ b/internal/rekor/rekor.go @@ -1,3 +1,18 @@ +// +// Copyright 2022 The Sigstore Authors. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + package rekor import ( @@ -15,6 +30,7 @@ import ( "github.com/go-openapi/strfmt" "github.com/go-openapi/swag" "github.com/pkg/errors" + "github.com/sigstore/cosign/cmd/cosign/cli/rekor" "github.com/sigstore/cosign/pkg/cosign" "github.com/sigstore/rekor/pkg/generated/client" diff --git a/internal/signature/sign.go b/internal/signature/sign.go index 79c294d1..29fd8093 100644 --- a/internal/signature/sign.go +++ b/internal/signature/sign.go @@ -1,3 +1,18 @@ +// +// Copyright 2022 The Sigstore Authors. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + package signature import ( @@ -94,14 +109,14 @@ func Sign(ident Identity, body []byte, opts SignOptions) ([]byte, *x509.Certific Type: "SIGNED MESSAGE", Bytes: der, }), cert, nil - } else { - return der, cert, nil } + + return der, cert, nil } // certsForSignature determines which certificates to include in the signature // based on the --include-certs option specified by the user. -func certsForSignature(chain []*x509.Certificate, include int) ([]*x509.Certificate, error) { +func certsForSignature(chain []*x509.Certificate, include int) ([]*x509.Certificate, error) { // nolint:unparam if include < -3 { include = -2 // default } diff --git a/internal/signature/signature_test.go b/internal/signature/signature_test.go index fe32c2bb..ce5bf970 100644 --- a/internal/signature/signature_test.go +++ b/internal/signature/signature_test.go @@ -1,3 +1,18 @@ +// +// Copyright 2022 The Sigstore Authors. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + package signature import ( diff --git a/internal/signature/verify.go b/internal/signature/verify.go index 85b453b5..35c99443 100644 --- a/internal/signature/verify.go +++ b/internal/signature/verify.go @@ -1,3 +1,18 @@ +// +// Copyright 2022 The Sigstore Authors. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + package signature import ( @@ -28,7 +43,7 @@ func Verify(body, sig []byte, detached bool, opts x509.VerifyOptions) ([][][]*x5 if detached { return sd.VerifyDetached(body, opts) - } else { - return sd.Verify(opts) } + + return sd.Verify(opts) } diff --git a/internal/utils.go b/internal/utils.go index 2113dd02..57761a91 100644 --- a/internal/utils.go +++ b/internal/utils.go @@ -1,7 +1,22 @@ +// +// Copyright 2022 The Sigstore Authors. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + package internal import ( - "crypto/sha1" + "crypto/sha1" // #nosec G505 "crypto/x509" "encoding/hex" ) @@ -17,6 +32,6 @@ func certFingerprint(cert *x509.Certificate) []byte { return nil } - fpr := sha1.Sum(cert.Raw) + fpr := sha1.Sum(cert.Raw) // nolint:gosec return fpr[:] } diff --git a/main.go b/main.go index 009770ae..379496c5 100644 --- a/main.go +++ b/main.go @@ -1,3 +1,18 @@ +// +// Copyright 2022 The Sigstore Authors. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + package main import ( @@ -90,25 +105,29 @@ func runCommand() error { if *signFlag { if *verifyFlag { return errors.New("specify --help, --sign, or --verify") - } else if len(*localUserOpt) == 0 { + } + if len(*localUserOpt) == 0 { return errors.New("specify a USER-ID to sign with") - } else { - return commandSign() } + + return commandSign() } if *verifyFlag { if *signFlag { return errors.New("specify --help, --sign, or --verify") - } else if len(*localUserOpt) > 0 { + } + if len(*localUserOpt) > 0 { return errors.New("local-user cannot be specified for verification") - } else if *detachSignFlag { + } + if *detachSignFlag { return errors.New("detach-sign cannot be specified for verification") - } else if *armorFlag { + } + if *armorFlag { return errors.New("armor cannot be specified for verification") - } else { - return commandVerify() } + + return commandVerify() } return errors.New("specify --help, --sign, --verify, or --list-keys") diff --git a/status.go b/status.go index 9de6b00d..00a29f1f 100644 --- a/status.go +++ b/status.go @@ -1,3 +1,18 @@ +// +// Copyright 2022 The Sigstore Authors. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + package main import ( @@ -8,9 +23,10 @@ import ( "sync" "time" - "github.com/sigstore/gitsign/internal" "golang.org/x/crypto/openpgp/packet" "golang.org/x/crypto/openpgp/s2k" + + "github.com/sigstore/gitsign/internal" ) // This file implements gnupg's "status protocol". When the --status-fd argument @@ -148,8 +164,8 @@ func (s status) emitf(format string, args ...interface{}) { } const prefix = "[GNUPG:] " - statusFile.WriteString(prefix) - statusFile.WriteString(string(s)) + _, _ = statusFile.WriteString(prefix) + _, _ = statusFile.WriteString(string(s)) fmt.Fprintf(statusFile, " "+format+"\n", args...) } @@ -161,7 +177,7 @@ func (s status) emit() { } const prefix = "[GNUPG:] " - statusFile.WriteString(prefix + string(s) + "\n") + _, _ = statusFile.WriteString(prefix + string(s) + "\n") } func emitSigCreated(cert *x509.Certificate, isDetached bool) {