diff --git a/.github/workflows/verify.yml b/.github/workflows/verify.yml index 41f2716ebb..9cb71cc5a5 100644 --- a/.github/workflows/verify.yml +++ b/.github/workflows/verify.yml @@ -75,7 +75,7 @@ jobs: go-version-file: ${{ matrix.module }}/go.mod check-latest: true - name: golangci-lint - uses: golangci/golangci-lint-action@ec5d18412c0aeab7936cb16880d708ba2a64e1ae # v6.2.0 + uses: golangci/golangci-lint-action@2226d7cb06a077cd73e56eedd38eecad18e5d837 # v6.5.0 with: version: v1.63 working-directory: ${{ matrix.module }} diff --git a/go.mod b/go.mod index b811b1ec65..e594072daf 100644 --- a/go.mod +++ b/go.mod @@ -18,7 +18,7 @@ require ( github.com/stretchr/testify v1.10.0 github.com/theupdateframework/go-tuf v0.7.0 golang.org/x/crypto v0.32.0 - golang.org/x/oauth2 v0.25.0 + golang.org/x/oauth2 v0.26.0 golang.org/x/term v0.28.0 ) diff --git a/go.sum b/go.sum index 3afb7fe254..7eccbaa95e 100644 --- a/go.sum +++ b/go.sum @@ -152,8 +152,8 @@ golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg= golang.org/x/net v0.27.0 h1:5K3Njcw06/l2y9vpGCSdcxWOYHOUk3dVNGDXN+FvAys= golang.org/x/net v0.27.0/go.mod h1:dDi0PyhWNoiUOrAS8uXv/vnScO4wnHQO4mj9fn/RytE= -golang.org/x/oauth2 v0.25.0 h1:CY4y7XT9v0cRI9oupztF8AgiIu99L/ksR/Xp/6jrZ70= -golang.org/x/oauth2 v0.25.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI= +golang.org/x/oauth2 v0.26.0 h1:afQXWNNaeC4nvZ0Ed9XvCCzXM6UHJG7iCg0W4fPqSBE= +golang.org/x/oauth2 v0.26.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= diff --git a/pkg/signature/algorithm_registry.go b/pkg/signature/algorithm_registry.go index e9de9fd7e8..0612d8f7a2 100644 --- a/pkg/signature/algorithm_registry.go +++ b/pkg/signature/algorithm_registry.go @@ -128,7 +128,7 @@ var supportedAlgorithms = []algorithmDetails{ {v1.PublicKeyDetails_PKIX_RSA_PKCS1V15_3072_SHA256, RSA, crypto.SHA256, RSAKeySize(3072), "rsa-sign-pkcs1-3072-sha256"}, {v1.PublicKeyDetails_PKIX_RSA_PKCS1V15_4096_SHA256, RSA, crypto.SHA256, RSAKeySize(4096), "rsa-sign-pkcs1-4096-sha256"}, {v1.PublicKeyDetails_PKIX_RSA_PSS_2048_SHA256, RSA, crypto.SHA256, RSAKeySize(2048), "rsa-sign-pss-2048-sha256"}, - {v1.PublicKeyDetails_PKIX_RSA_PSS_3072_SHA256, RSA, crypto.SHA256, RSAKeySize(2048), "rsa-sign-pss-3072-sha256"}, + {v1.PublicKeyDetails_PKIX_RSA_PSS_3072_SHA256, RSA, crypto.SHA256, RSAKeySize(3072), "rsa-sign-pss-3072-sha256"}, {v1.PublicKeyDetails_PKIX_RSA_PSS_4096_SHA256, RSA, crypto.SHA256, RSAKeySize(4096), "rsa-sign-pss-4092-sha256"}, {v1.PublicKeyDetails_PKIX_ECDSA_P256_SHA_256, ECDSA, crypto.SHA256, elliptic.P256(), "ecdsa-sha2-256-nistp256"}, {v1.PublicKeyDetails_PKIX_ECDSA_P384_SHA_384, ECDSA, crypto.SHA384, elliptic.P384(), "ecdsa-sha2-384-nistp384"}, diff --git a/pkg/signature/kms/aws/go.mod b/pkg/signature/kms/aws/go.mod index 6773ec4f12..5c69ed05ff 100644 --- a/pkg/signature/kms/aws/go.mod +++ b/pkg/signature/kms/aws/go.mod @@ -6,7 +6,7 @@ go 1.22.0 require ( github.com/aws/aws-sdk-go v1.55.6 - github.com/aws/aws-sdk-go-v2 v1.33.0 + github.com/aws/aws-sdk-go-v2 v1.36.1 github.com/aws/aws-sdk-go-v2/config v1.29.1 github.com/aws/aws-sdk-go-v2/service/kms v1.37.13 github.com/jellydator/ttlcache/v3 v3.3.0 @@ -25,7 +25,7 @@ require ( github.com/aws/aws-sdk-go-v2/service/sso v1.24.11 // indirect github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.10 // indirect github.com/aws/aws-sdk-go-v2/service/sts v1.33.9 // indirect - github.com/aws/smithy-go v1.22.1 // indirect + github.com/aws/smithy-go v1.22.2 // indirect github.com/davecgh/go-spew v1.1.1 // indirect github.com/go-jose/go-jose/v4 v4.0.2 // indirect github.com/google/go-containerregistry v0.20.2 // indirect diff --git a/pkg/signature/kms/aws/go.sum b/pkg/signature/kms/aws/go.sum index 02f863fb5b..c61b8b2ad8 100644 --- a/pkg/signature/kms/aws/go.sum +++ b/pkg/signature/kms/aws/go.sum @@ -1,7 +1,7 @@ github.com/aws/aws-sdk-go v1.55.6 h1:cSg4pvZ3m8dgYcgqB97MrcdjUmZ1BeMYKUxMMB89IPk= github.com/aws/aws-sdk-go v1.55.6/go.mod h1:eRwEWoyTWFMVYVQzKMNHWP5/RV4xIUGMQfXQHfHkpNU= -github.com/aws/aws-sdk-go-v2 v1.33.0 h1:Evgm4DI9imD81V0WwD+TN4DCwjUMdc94TrduMLbgZJs= -github.com/aws/aws-sdk-go-v2 v1.33.0/go.mod h1:P5WJBrYqqbWVaOxgH0X/FYYD47/nooaPOZPlQdmiN2U= +github.com/aws/aws-sdk-go-v2 v1.36.1 h1:iTDl5U6oAhkNPba0e1t1hrwAo02ZMqbrGq4k5JBWM5E= +github.com/aws/aws-sdk-go-v2 v1.36.1/go.mod h1:5PMILGVKiW32oDzjj6RU52yrNrDPUHcbZQYr1sM7qmM= github.com/aws/aws-sdk-go-v2/config v1.29.1 h1:JZhGawAyZ/EuJeBtbQYnaoftczcb2drR2Iq36Wgz4sQ= github.com/aws/aws-sdk-go-v2/config v1.29.1/go.mod h1:7bR2YD5euaxBhzt2y/oDkt3uNRb6tjFp98GlTFueRwk= github.com/aws/aws-sdk-go-v2/credentials v1.17.54 h1:4UmqeOqJPvdvASZWrKlhzpRahAulBfyTJQUaYy4+hEI= @@ -26,8 +26,8 @@ github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.10 h1:l+dgv/64iVlQ3WsBbnn+JSb github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.10/go.mod h1:Fzsj6lZEb8AkTE5S68OhcbBqeWPsR8RnGuKPr8Todl8= github.com/aws/aws-sdk-go-v2/service/sts v1.33.9 h1:BRVDbewN6VZcwr+FBOszDKvYeXY1kJ+GGMCcpghlw0U= github.com/aws/aws-sdk-go-v2/service/sts v1.33.9/go.mod h1:f6vjfZER1M17Fokn0IzssOTMT2N8ZSq+7jnNF0tArvw= -github.com/aws/smithy-go v1.22.1 h1:/HPHZQ0g7f4eUeK6HKglFz8uwVfZKgoI25rb/J+dnro= -github.com/aws/smithy-go v1.22.1/go.mod h1:irrKGvNn1InZwb2d7fkIRNucdfwR8R+Ts3wxYa/cJHg= +github.com/aws/smithy-go v1.22.2 h1:6D9hW43xKFrRx/tXXfAlIZc4JI+yQe6snnWcQyxSyLQ= +github.com/aws/smithy-go v1.22.2/go.mod h1:irrKGvNn1InZwb2d7fkIRNucdfwR8R+Ts3wxYa/cJHg= github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw= github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44= diff --git a/pkg/signature/kms/kms.go b/pkg/signature/kms/kms.go index 862726ffd5..7baf9504b8 100644 --- a/pkg/signature/kms/kms.go +++ b/pkg/signature/kms/kms.go @@ -52,8 +52,10 @@ var providersMap = map[string]ProviderInit{} // Get returns a KMS SignerVerifier for the given resource string and hash function. // If no matching built-in provider is found, it will try to use the plugin system as a provider. -// If keyResourceID doesn't match any of our hard-coded providers' schemas, or the plugin program -// can't be found, then it returns ProviderNotFoundError. +// It returns a ProviderNotFoundError in these situations: +// - keyResourceID doesn't match any of our hard-coded providers' schemas, +// - the plugin name and key ref cannot be parsed from the input keyResourceID, +// - the plugin program, can't be found. // It also returns an error if initializing the SignerVerifier fails. func Get(ctx context.Context, keyResourceID string, hashFunc crypto.Hash, opts ...signature.RPCOption) (SignerVerifier, error) { for ref, pi := range providersMap { @@ -66,7 +68,7 @@ func Get(ctx context.Context, keyResourceID string, hashFunc crypto.Hash, opts . } } sv, err := cliplugin.LoadSignerVerifier(ctx, keyResourceID, hashFunc, opts...) - if errors.Is(err, exec.ErrNotFound) { + if errors.Is(err, exec.ErrNotFound) || errors.Is(err, cliplugin.ErrorInputKeyResourceID) { return nil, fmt.Errorf("%w: %w", &ProviderNotFoundError{ref: keyResourceID}, err) } return sv, err diff --git a/pkg/signature/kms/kms_test.go b/pkg/signature/kms/kms_test.go index d121fa2010..7690815135 100644 --- a/pkg/signature/kms/kms_test.go +++ b/pkg/signature/kms/kms_test.go @@ -26,6 +26,7 @@ import ( "github.com/google/go-cmp/cmp" "github.com/google/go-cmp/cmp/cmpopts" "github.com/sigstore/sigstore/pkg/signature" + "github.com/sigstore/sigstore/pkg/signature/kms/cliplugin" ) // TestGet ensures that there is are load attempts on registered providers, including the CLIPlugin, @@ -36,11 +37,12 @@ func TestGet(t *testing.T) { testHashFunc := crypto.SHA256 testCtx := context.Background() + var providerNotFoundError *ProviderNotFoundError + t.Run("cliplugin", func(t *testing.T) { t.Parallel() testKey := "gundam://00" - var providerNotFoundError *ProviderNotFoundError // we only check for errors because we can't assume that there exists on the system // a program prefixed with "sigstore-kms-". @@ -71,6 +73,18 @@ func TestGet(t *testing.T) { } }) + t.Run("file path", func(t *testing.T) { + t.Parallel() + testKeyResourceID := "/this/is/the/way" + _, err := Get(testCtx, testKeyResourceID, testHashFunc) + if !errors.As(err, &providerNotFoundError) { + t.Errorf("wanted ProviderNotFoundError, got: %v", err) + } + if !errors.Is(err, cliplugin.ErrorInputKeyResourceID) { + t.Errorf("wanted cliplugin.ErrorInputKeyResourceID, got: %v", err) + } + }) + t.Run("successful provider", func(t *testing.T) { t.Parallel() diff --git a/test/fuzz/pem/fuzzcert_test.go b/test/fuzz/pem/fuzzcert_test.go index 21b521c7a5..ad3a6c6dee 100644 --- a/test/fuzz/pem/fuzzcert_test.go +++ b/test/fuzz/pem/fuzzcert_test.go @@ -20,6 +20,7 @@ import ( "crypto/x509" "crypto/x509/pkix" "encoding/pem" + "reflect" "testing" "github.com/sigstore/sigstore/pkg/cryptoutils" @@ -76,7 +77,7 @@ func FuzzUnmarshalPEMToPublicKey(f *testing.F) { } result, err := cryptoutils.UnmarshalPEMToPublicKey(data) if err != nil { - if result != nil { + if result != nil && !reflect.ValueOf(result).IsNil() { t.Errorf("result %v should be nil when there is an error %v", result, err) } t.Skip("invalid pem")