From 880bac8266316f75c715f38e2468ee5faa910969 Mon Sep 17 00:00:00 2001 From: Hayden Blauzvern Date: Mon, 5 Feb 2024 21:52:52 +0000 Subject: [PATCH] Update linter, codeql CodeQL was failing because this version did not support Go 1.21. Also bumped the linter and fixed lint failures. Signed-off-by: Hayden Blauzvern --- .github/workflows/codeql.yml | 6 +++--- .github/workflows/golangci-lint.yml | 2 +- .github/workflows/verify_license.yml | 4 ++-- pkg/verify/signature.go | 18 +++++++----------- 4 files changed, 13 insertions(+), 17 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index e2c0ee2f..cf7fd900 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -42,12 +42,12 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@cdcdbb579706841c47f7063dda365e292e5cad7a # v2.1.26 + uses: github/codeql-action/init@65c74964a9ed8c44ed9f19d4bbc5757a6a8e9ab9 # v2.16.1 with: languages: ${{ matrix.language }} - name: Autobuild - uses: github/codeql-action/autobuild@cdcdbb579706841c47f7063dda365e292e5cad7a # v2.1.26 + uses: github/codeql-action/autobuild@65c74964a9ed8c44ed9f19d4bbc5757a6a8e9ab9 # v2.16.1 - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@cdcdbb579706841c47f7063dda365e292e5cad7a # v2.1.26 + uses: github/codeql-action/analyze@65c74964a9ed8c44ed9f19d4bbc5757a6a8e9ab9 # v2.16.1 diff --git a/.github/workflows/golangci-lint.yml b/.github/workflows/golangci-lint.yml index b1608185..d744f4c8 100644 --- a/.github/workflows/golangci-lint.yml +++ b/.github/workflows/golangci-lint.yml @@ -34,7 +34,7 @@ jobs: - name: golangci-lint uses: golangci/golangci-lint-action@3a919529898de77ec3da873e3063ca4b10e7f5cc # v3.7.0 with: - version: v1.54 + version: v1.55 args: --timeout=5m --verbose # sometimes the pkg cache gets corrupted, skipping cache avoids this # https://github.com/golangci/golangci-lint-action/issues/23 diff --git a/.github/workflows/verify_license.yml b/.github/workflows/verify_license.yml index 4390d741..375afa98 100644 --- a/.github/workflows/verify_license.yml +++ b/.github/workflows/verify_license.yml @@ -30,8 +30,8 @@ jobs: go-version-file: './go.mod' check-latest: true - name: Install addlicense - run: go install github.com/google/addlicense@v1.0.0 + run: go install github.com/google/addlicense@latest - name: Check license headers run: | set -e - addlicense -check -l apache -c 'The Sigstore Authors' -ignore "third_party/**" -v * \ No newline at end of file + addlicense -check -l apache -c 'The Sigstore Authors' -ignore "third_party/**" -v * diff --git a/pkg/verify/signature.go b/pkg/verify/signature.go index 15a012a9..7cc62358 100644 --- a/pkg/verify/signature.go +++ b/pkg/verify/signature.go @@ -44,10 +44,9 @@ func VerifySignature(sigContent SignatureContent, verificationContent Verificati return verifyEnvelope(verifier, envelope) } else if msg := sigContent.MessageSignatureContent(); msg != nil { return errors.New("artifact must be provided to verify message signature") - } else { - // should never happen, but just in case: - return fmt.Errorf("signature content has neither an envelope or a message") } + // handle an invalid signature content message + return fmt.Errorf("signature content has neither an envelope or a message") } func VerifySignatureWithArtifact(sigContent SignatureContent, verificationContent VerificationContent, trustedMaterial root.TrustedMaterial, artifact io.Reader) error { // nolint: revive @@ -63,10 +62,9 @@ func VerifySignatureWithArtifact(sigContent SignatureContent, verificationConten return verifyEnvelopeWithArtifact(verifier, envelope, artifact) } else if msg := sigContent.MessageSignatureContent(); msg != nil { return verifyMessageSignature(verifier, msg, artifact) - } else { - // should never happen, but just in case: - return fmt.Errorf("signature content has neither an envelope or a message") } + // handle an invalid signature content message + return fmt.Errorf("signature content has neither an envelope or a message") } func VerifySignatureWithArtifactDigest(sigContent SignatureContent, verificationContent VerificationContent, trustedMaterial root.TrustedMaterial, artifactDigest []byte, artifactDigestAlgorithm string) error { // nolint: revive @@ -82,10 +80,9 @@ func VerifySignatureWithArtifactDigest(sigContent SignatureContent, verification return verifyEnvelopeWithArtifactDigest(verifier, envelope, artifactDigest, artifactDigestAlgorithm) } else if msg := sigContent.MessageSignatureContent(); msg != nil { return verifyMessageSignatureWithArtifactDigest(verifier, msg, artifactDigest) - } else { - // should never happen, but just in case: - return fmt.Errorf("signature content has neither an envelope or a message") } + // handle an invalid signature content message + return fmt.Errorf("signature content has neither an envelope or a message") } func getSignatureVerifier(verificationContent VerificationContent, tm root.TrustedMaterial) (signature.Verifier, error) { @@ -94,9 +91,8 @@ func getSignatureVerifier(verificationContent VerificationContent, tm root.Trust return signature.LoadVerifier(leafCert.PublicKey, crypto.SHA256) } else if pk, ok := verificationContent.HasPublicKey(); ok { return tm.PublicKeyVerifier(pk.Hint()) - } else { - return nil, fmt.Errorf("no public key or certificate found") } + return nil, fmt.Errorf("no public key or certificate found") } func verifyEnvelope(verifier signature.Verifier, envelope EnvelopeContent) error {