diff --git a/pkg/cmd/attestation/artifact/artifact.go b/pkg/cmd/attestation/artifact/artifact.go index dd39eacd5..de354b947 100644 --- a/pkg/cmd/attestation/artifact/artifact.go +++ b/pkg/cmd/attestation/artifact/artifact.go @@ -31,7 +31,7 @@ func normalizeReference(reference string, pathSeparator rune) (normalized string case strings.HasPrefix(reference, "file://"): uri, err := url.ParseRequestURI(reference) if err != nil { - return "", 0, fmt.Errorf("failed to parse reference URI: %w", err) + return "", 0, fmt.Errorf("failed to parse reference URI: %v", err) } var path string if pathSeparator == '/' { diff --git a/pkg/cmd/attestation/artifact/digest/digest.go b/pkg/cmd/attestation/artifact/digest/digest.go index 882a85bc3..e48fb1d0d 100644 --- a/pkg/cmd/attestation/artifact/digest/digest.go +++ b/pkg/cmd/attestation/artifact/digest/digest.go @@ -46,7 +46,7 @@ func CalculateDigestWithAlgorithm(r io.Reader, alg string) (string, error) { } if _, err := io.Copy(h, r); err != nil { - return "", fmt.Errorf("failed to calculate digest: %w", err) + return "", fmt.Errorf("failed to calculate digest: %v", err) } digest := h.Sum(nil) return hex.EncodeToString(digest), nil diff --git a/pkg/cmd/attestation/artifact/file.go b/pkg/cmd/attestation/artifact/file.go index 99cd0ce2e..789a92a5d 100644 --- a/pkg/cmd/attestation/artifact/file.go +++ b/pkg/cmd/attestation/artifact/file.go @@ -10,12 +10,12 @@ import ( func digestLocalFileArtifact(filename, digestAlg string) (*DigestedArtifact, error) { data, err := os.Open(filename) if err != nil { - return nil, fmt.Errorf("failed to get open local artifact: %w", err) + return nil, fmt.Errorf("failed to get open local artifact: %v", err) } defer data.Close() digest, err := digest.CalculateDigestWithAlgorithm(data, digestAlg) if err != nil { - return nil, fmt.Errorf("failed to calculate local artifact digest: %w", err) + return nil, fmt.Errorf("failed to calculate local artifact digest: %v", err) } return &DigestedArtifact{ URL: fmt.Sprintf("file://%s", filename), diff --git a/pkg/cmd/attestation/artifact/image.go b/pkg/cmd/attestation/artifact/image.go index 839e493af..2af13e723 100644 --- a/pkg/cmd/attestation/artifact/image.go +++ b/pkg/cmd/attestation/artifact/image.go @@ -12,7 +12,7 @@ func digestContainerImageArtifact(url string, client oci.Client) (*DigestedArtif named, err := reference.Parse(url) if err != nil { // cannot be parsed as a registry reference - return nil, fmt.Errorf("artifact %s is not a valid registry reference: %w", url, err) + return nil, fmt.Errorf("artifact %s is not a valid registry reference: %v", url, err) } digest, err := client.GetImageDigest(named.String()) diff --git a/pkg/cmd/attestation/artifact/oci/client.go b/pkg/cmd/attestation/artifact/oci/client.go index d68fd99d2..5b8d8cf7a 100644 --- a/pkg/cmd/attestation/artifact/oci/client.go +++ b/pkg/cmd/attestation/artifact/oci/client.go @@ -39,7 +39,7 @@ type LiveClient struct { func (c LiveClient) GetImageDigest(imgName string) (*v1.Hash, error) { name, err := c.parseReference(imgName) if err != nil { - return nil, fmt.Errorf("failed to create image tag: %w", err) + return nil, fmt.Errorf("failed to create image tag: %v", err) } // The user must already be authenticated with the container registry @@ -53,7 +53,7 @@ func (c LiveClient) GetImageDigest(imgName string) (*v1.Hash, error) { return nil, accessErr } } - return nil, fmt.Errorf("failed to fetch remote image: %w", err) + return nil, fmt.Errorf("failed to fetch remote image: %v", err) } return &desc.Digest, nil diff --git a/pkg/cmd/attestation/download/download.go b/pkg/cmd/attestation/download/download.go index 633723f27..bf9b12894 100644 --- a/pkg/cmd/attestation/download/download.go +++ b/pkg/cmd/attestation/download/download.go @@ -92,7 +92,7 @@ func NewDownloadCmd(f *cmdutil.Factory, runF func(*Options) error) *cobra.Comman } if err := runDownload(opts); err != nil { - return fmt.Errorf("Failed to download the artifact's bundle(s): %w", err) + return fmt.Errorf("Failed to download the artifact's bundle(s): %v", err) } return nil }, @@ -111,7 +111,7 @@ func NewDownloadCmd(f *cmdutil.Factory, runF func(*Options) error) *cobra.Comman func runDownload(opts *Options) error { artifact, err := artifact.NewDigestedArtifact(opts.OCIClient, opts.ArtifactPath, opts.DigestAlgorithm) if err != nil { - return fmt.Errorf("failed to digest artifact: %w", err) + return fmt.Errorf("failed to digest artifact: %v", err) } opts.Logger.VerbosePrintf("Downloading trusted metadata for artifact %s\n\n", opts.ArtifactPath) @@ -129,12 +129,12 @@ func runDownload(opts *Options) error { fmt.Fprintf(opts.Logger.IO.Out, "No attestations found for %s\n", opts.ArtifactPath) return nil } - return fmt.Errorf("failed to fetch attestations: %w", err) + return fmt.Errorf("failed to fetch attestations: %v", err) } metadataFilePath, err := opts.Store.createMetadataFile(artifact.DigestWithAlg(), attestations) if err != nil { - return fmt.Errorf("failed to write attestation: %w", err) + return fmt.Errorf("failed to write attestation: %v", err) } fmt.Fprintf(opts.Logger.IO.Out, "Wrote attestations to file %s.\nAny previous content has been overwritten\n\n", metadataFilePath) diff --git a/pkg/cmd/attestation/download/metadata.go b/pkg/cmd/attestation/download/metadata.go index ac2ffe1dc..4096be001 100644 --- a/pkg/cmd/attestation/download/metadata.go +++ b/pkg/cmd/attestation/download/metadata.go @@ -32,7 +32,7 @@ func (s *LiveStore) createMetadataFile(artifactDigest string, attestationsResp [ f, err := os.Create(metadataFilePath) if err != nil { - return "", errors.Join(ErrAttestationFileCreation, fmt.Errorf("failed to create file: %w", err)) + return "", errors.Join(ErrAttestationFileCreation, fmt.Errorf("failed to create file: %v", err)) } for _, resp := range attestationsResp { @@ -40,24 +40,24 @@ func (s *LiveStore) createMetadataFile(artifactDigest string, attestationsResp [ attBytes, err := json.Marshal(bundle) if err != nil { if err = f.Close(); err != nil { - return "", errors.Join(ErrAttestationFileCreation, fmt.Errorf("failed to close file while marshalling JSON: %w", err)) + return "", errors.Join(ErrAttestationFileCreation, fmt.Errorf("failed to close file while marshalling JSON: %v", err)) } - return "", errors.Join(ErrAttestationFileCreation, fmt.Errorf("failed to marshall attestation to JSON while writing to file: %w", err)) + return "", errors.Join(ErrAttestationFileCreation, fmt.Errorf("failed to marshall attestation to JSON while writing to file: %v", err)) } withNewline := fmt.Sprintf("%s\n", attBytes) _, err = f.Write([]byte(withNewline)) if err != nil { if err = f.Close(); err != nil { - return "", errors.Join(ErrAttestationFileCreation, fmt.Errorf("failed to close file while handling write error: %w", err)) + return "", errors.Join(ErrAttestationFileCreation, fmt.Errorf("failed to close file while handling write error: %v", err)) } - return "", errors.Join(ErrAttestationFileCreation, fmt.Errorf("failed to write attestations: %w", err)) + return "", errors.Join(ErrAttestationFileCreation, fmt.Errorf("failed to write attestations: %v", err)) } } if err = f.Close(); err != nil { - return "", errors.Join(ErrAttestationFileCreation, fmt.Errorf("failed to close file after writing attestations: %w", err)) + return "", errors.Join(ErrAttestationFileCreation, fmt.Errorf("failed to close file after writing attestations: %v", err)) } return metadataFilePath, nil diff --git a/pkg/cmd/attestation/inspect/bundle.go b/pkg/cmd/attestation/inspect/bundle.go index a226507cb..283b2c14e 100644 --- a/pkg/cmd/attestation/inspect/bundle.go +++ b/pkg/cmd/attestation/inspect/bundle.go @@ -68,28 +68,28 @@ func getOrgAndRepo(repoURL string) (string, string, error) { func getAttestationDetail(attr api.Attestation) (AttestationDetail, error) { envelope, err := attr.Bundle.Envelope() if err != nil { - return AttestationDetail{}, fmt.Errorf("failed to get envelope from bundle: %w", err) + return AttestationDetail{}, fmt.Errorf("failed to get envelope from bundle: %v", err) } statement, err := envelope.EnvelopeContent().Statement() if err != nil { - return AttestationDetail{}, fmt.Errorf("failed to get statement from envelope: %w", err) + return AttestationDetail{}, fmt.Errorf("failed to get statement from envelope: %v", err) } var predicate Predicate predicateJson, err := json.Marshal(statement.Predicate) if err != nil { - return AttestationDetail{}, fmt.Errorf("failed to marshal predicate: %w", err) + return AttestationDetail{}, fmt.Errorf("failed to marshal predicate: %v", err) } err = json.Unmarshal(predicateJson, &predicate) if err != nil { - return AttestationDetail{}, fmt.Errorf("failed to unmarshal predicate: %w", err) + return AttestationDetail{}, fmt.Errorf("failed to unmarshal predicate: %v", err) } org, repo, err := getOrgAndRepo(predicate.BuildDefinition.ExternalParameters.Workflow.Repository) if err != nil { - return AttestationDetail{}, fmt.Errorf("failed to parse attestation content: %w", err) + return AttestationDetail{}, fmt.Errorf("failed to parse attestation content: %v", err) } return AttestationDetail{ @@ -107,7 +107,7 @@ func getDetailsAsSlice(results []*verification.AttestationProcessingResult) ([][ for i, result := range results { detail, err := getAttestationDetail(*result.Attestation) if err != nil { - return nil, fmt.Errorf("failed to get attestation detail: %w", err) + return nil, fmt.Errorf("failed to get attestation detail: %v", err) } details[i] = []string{detail.RepositoryName, detail.RepositoryID, detail.OrgName, detail.OrgID, detail.WorkflowID} } @@ -120,7 +120,7 @@ func getAttestationDetails(results []*verification.AttestationProcessingResult) for i, result := range results { detail, err := getAttestationDetail(*result.Attestation) if err != nil { - return nil, fmt.Errorf("failed to get attestation detail: %w", err) + return nil, fmt.Errorf("failed to get attestation detail: %v", err) } details[i] = detail } diff --git a/pkg/cmd/attestation/inspect/inspect.go b/pkg/cmd/attestation/inspect/inspect.go index 8a0761c3c..e62ef2d97 100644 --- a/pkg/cmd/attestation/inspect/inspect.go +++ b/pkg/cmd/attestation/inspect/inspect.go @@ -108,7 +108,7 @@ func runInspect(opts *Options) error { policy, err := buildPolicy(*artifact) if err != nil { - return fmt.Errorf("failed to build policy: %w", err) + return fmt.Errorf("failed to build policy: %v", err) } sigstore, err := verification.NewSigstoreVerifier(config, policy) @@ -118,7 +118,7 @@ func runInspect(opts *Options) error { res := sigstore.Verify(attestations) if res.Error != nil { - return fmt.Errorf("at least one attestation failed to verify against Sigstore: %w", res.Error) + return fmt.Errorf("at least one attestation failed to verify against Sigstore: %v", res.Error) } opts.Logger.VerbosePrint(opts.Logger.ColorScheme.Green( @@ -129,7 +129,7 @@ func runInspect(opts *Options) error { if opts.exporter != nil { details, err := getAttestationDetails(res.VerifyResults) if err != nil { - return fmt.Errorf("failed to get attestation detail: %w", err) + return fmt.Errorf("failed to get attestation detail: %v", err) } jsonResults := make([]string, len(details)) @@ -151,7 +151,7 @@ func runInspect(opts *Options) error { // otherwise, print results in a table details, err := getDetailsAsSlice(res.VerifyResults) if err != nil { - return fmt.Errorf("failed to parse attestation details: %w", err) + return fmt.Errorf("failed to parse attestation details: %v", err) } headers := []string{"Repo Name", "Repo ID", "Org Name", "Org ID", "Workflow ID"} @@ -165,7 +165,7 @@ func runInspect(opts *Options) error { } if err = t.Render(); err != nil { - return fmt.Errorf("failed to print output: %w", err) + return fmt.Errorf("failed to print output: %v", err) } return nil diff --git a/pkg/cmd/attestation/tufrootverify/tufrootverify.go b/pkg/cmd/attestation/tufrootverify/tufrootverify.go index 811e9458c..3c62a77ab 100644 --- a/pkg/cmd/attestation/tufrootverify/tufrootverify.go +++ b/pkg/cmd/attestation/tufrootverify/tufrootverify.go @@ -66,7 +66,7 @@ func NewTUFRootVerifyCmd(f *cmdutil.Factory, runF func() error) *cobra.Command { func tufRootVerify(mirror, root string) error { rb, err := os.ReadFile(root) if err != nil { - return fmt.Errorf("failed to read root file %s: %w", root, err) + return fmt.Errorf("failed to read root file %s: %v", root, err) } opts := verification.GitHubTUFOptions() opts.Root = rb @@ -75,7 +75,7 @@ func tufRootVerify(mirror, root string) error { // sure there is no caching enabled opts.CacheValidity = 0 if _, err = tuf.New(opts); err != nil { - return fmt.Errorf("failed to create TUF client: %w", err) + return fmt.Errorf("failed to create TUF client: %v", err) } return nil diff --git a/pkg/cmd/attestation/verification/attestation.go b/pkg/cmd/attestation/verification/attestation.go index 52ce752c3..7fb4a1615 100644 --- a/pkg/cmd/attestation/verification/attestation.go +++ b/pkg/cmd/attestation/verification/attestation.go @@ -41,13 +41,13 @@ func GetLocalAttestations(path string) ([]*api.Attestation, error) { case ".json": attestations, err := loadBundleFromJSONFile(path) if err != nil { - return nil, fmt.Errorf("bundle could not be loaded from JSON file: %w", err) + return nil, fmt.Errorf("bundle could not be loaded from JSON file: %v", err) } return attestations, nil case ".jsonl": attestations, err := loadBundlesFromJSONLinesFile(path) if err != nil { - return nil, fmt.Errorf("bundles could not be loaded from JSON lines file: %w", err) + return nil, fmt.Errorf("bundles could not be loaded from JSON lines file: %v", err) } return attestations, nil } @@ -66,7 +66,7 @@ func loadBundleFromJSONFile(path string) ([]*api.Attestation, error) { func loadBundlesFromJSONLinesFile(path string) ([]*api.Attestation, error) { file, err := os.Open(path) if err != nil { - return nil, fmt.Errorf("could not open file: %w", err) + return nil, fmt.Errorf("could not open file: %v", err) } defer file.Close() @@ -79,7 +79,7 @@ func loadBundlesFromJSONLinesFile(path string) ([]*api.Attestation, error) { bundle.Bundle = new(protobundle.Bundle) err = bundle.UnmarshalJSON(b) if err != nil { - return nil, fmt.Errorf("failed to unmarshal bundle from JSON: %w", err) + return nil, fmt.Errorf("failed to unmarshal bundle from JSON: %v", err) } a := api.Attestation{Bundle: &bundle} attestations = append(attestations, &a) diff --git a/pkg/cmd/attestation/verification/sigstore.go b/pkg/cmd/attestation/verification/sigstore.go index e9e57dd3b..8a74063ce 100644 --- a/pkg/cmd/attestation/verification/sigstore.go +++ b/pkg/cmd/attestation/verification/sigstore.go @@ -49,17 +49,17 @@ type SigstoreVerifier struct { func NewSigstoreVerifier(config SigstoreConfig, policy verify.PolicyBuilder) (*SigstoreVerifier, error) { customVerifier, err := newCustomVerifier(config.CustomTrustedRoot) if err != nil { - return nil, fmt.Errorf("failed to create custom verifier: %w", err) + return nil, fmt.Errorf("failed to create custom verifier: %v", err) } publicGoodVerifier, err := newPublicGoodVerifier() if err != nil { - return nil, fmt.Errorf("failed to create Public Good Sigstore verifier: %w", err) + return nil, fmt.Errorf("failed to create Public Good Sigstore verifier: %v", err) } ghVerifier, err := newGitHubVerifier() if err != nil { - return nil, fmt.Errorf("failed to create GitHub Sigstore verifier: %w", err) + return nil, fmt.Errorf("failed to create GitHub Sigstore verifier: %v", err) } return &SigstoreVerifier{ @@ -75,7 +75,7 @@ func NewSigstoreVerifier(config SigstoreConfig, policy verify.PolicyBuilder) (*S func (v *SigstoreVerifier) chooseVerifier(b *bundle.ProtobufBundle) (*verify.SignedEntityVerifier, string, error) { verifyContent, err := b.VerificationContent() if err != nil { - return nil, "", fmt.Errorf("failed to get bundle verification content: %w", err) + return nil, "", fmt.Errorf("failed to get bundle verification content: %v", err) } leafCert, ok := verifyContent.HasCertificate() if !ok { @@ -122,7 +122,7 @@ func (v *SigstoreVerifier) Verify(attestations []*api.Attestation) *SigstoreResu verifier, issuer, err := v.chooseVerifier(apr.Attestation.Bundle) if err != nil { return &SigstoreResults{ - Error: fmt.Errorf("failed to find recognized issuer from bundle content: %w", err), + Error: fmt.Errorf("failed to find recognized issuer from bundle content: %v", err), } } @@ -136,7 +136,7 @@ func (v *SigstoreVerifier) Verify(attestations []*api.Attestation) *SigstoreResu )) return &SigstoreResults{ - Error: fmt.Errorf("verifying with issuer \"%s\": %w", issuer, err), + Error: fmt.Errorf("verifying with issuer \"%s\": %v", issuer, err), } } @@ -160,12 +160,12 @@ func newCustomVerifier(trustedRootFilePath string) (*verify.SignedEntityVerifier trustedRoot, err := root.NewTrustedRootFromPath(trustedRootFilePath) if err != nil { - return nil, fmt.Errorf("failed to create trusted root from file %s: %w", trustedRootFilePath, err) + return nil, fmt.Errorf("failed to create trusted root from file %s: %v", trustedRootFilePath, err) } gv, err := verify.NewSignedEntityVerifier(trustedRoot, verify.WithSignedTimestamps(1)) if err != nil { - return nil, fmt.Errorf("failed to create custom verifier: %w", err) + return nil, fmt.Errorf("failed to create custom verifier: %v", err) } return gv, nil @@ -175,7 +175,7 @@ func newGitHubVerifier() (*verify.SignedEntityVerifier, error) { opts := GitHubTUFOptions() client, err := tuf.New(opts) if err != nil { - return nil, fmt.Errorf("failed to create TUF client: %w", err) + return nil, fmt.Errorf("failed to create TUF client: %v", err) } trustedRoot, err := root.GetTrustedRoot(client) if err != nil { @@ -183,7 +183,7 @@ func newGitHubVerifier() (*verify.SignedEntityVerifier, error) { } gv, err := verify.NewSignedEntityVerifier(trustedRoot, verify.WithSignedTimestamps(1)) if err != nil { - return nil, fmt.Errorf("failed to create GitHub verifier: %w", err) + return nil, fmt.Errorf("failed to create GitHub verifier: %v", err) } return gv, nil @@ -192,16 +192,16 @@ func newGitHubVerifier() (*verify.SignedEntityVerifier, error) { func newPublicGoodVerifier() (*verify.SignedEntityVerifier, error) { client, err := tuf.DefaultClient() if err != nil { - return nil, fmt.Errorf("failed to create TUF client: %w", err) + return nil, fmt.Errorf("failed to create TUF client: %v", err) } trustedRoot, err := root.GetTrustedRoot(client) if err != nil { - return nil, fmt.Errorf("failed to get trusted root: %w", err) + return nil, fmt.Errorf("failed to get trusted root: %v", err) } sv, err := verify.NewSignedEntityVerifier(trustedRoot, verify.WithSignedCertificateTimestamps(1), verify.WithTransparencyLog(1), verify.WithObserverTimestamps(1)) if err != nil { - return nil, fmt.Errorf("failed to create Public Good verifier: %w", err) + return nil, fmt.Errorf("failed to create Public Good verifier: %v", err) } return sv, nil diff --git a/pkg/cmd/attestation/verify/policy_test.go b/pkg/cmd/attestation/verify/policy_test.go index 76a299488..f15144314 100644 --- a/pkg/cmd/attestation/verify/policy_test.go +++ b/pkg/cmd/attestation/verify/policy_test.go @@ -9,6 +9,8 @@ import ( "github.com/stretchr/testify/require" ) +// This tests that a policy can be built from a valid artifact +// Note that policy use is tested in verify_test.go in this package func TestBuildPolicy(t *testing.T) { ociClient := oci.MockClient{} artifactPath := "../test/data/sigstore-js-2.1.0.tgz" diff --git a/pkg/cmd/attestation/verify/verify.go b/pkg/cmd/attestation/verify/verify.go index 174d1ce8b..e39c8e7f1 100644 --- a/pkg/cmd/attestation/verify/verify.go +++ b/pkg/cmd/attestation/verify/verify.go @@ -106,7 +106,7 @@ func NewVerifyCmd(f *cmdutil.Factory, runF func(*Options) error) *cobra.Command } if err := runVerify(opts); err != nil { - return fmt.Errorf("Failed to verify the artifact: %w", err) + return fmt.Errorf("Failed to verify the artifact: %v", err) } return nil }, @@ -159,7 +159,7 @@ func runVerify(opts *Options) error { policy, err := buildVerifyPolicy(opts, *artifact) if err != nil { - return fmt.Errorf("failed to build policy: %w", err) + return fmt.Errorf("failed to build policy: %v", err) } config := verification.SigstoreConfig{ @@ -175,7 +175,7 @@ func runVerify(opts *Options) error { sigstoreRes := sv.Verify(attestations) if sigstoreRes.Error != nil { - return fmt.Errorf("at least one attestation failed to verify against Sigstore: %w", sigstoreRes.Error) + return fmt.Errorf("at least one attestation failed to verify against Sigstore: %v", sigstoreRes.Error) } opts.Logger.VerbosePrint(opts.Logger.ColorScheme.Green( @@ -184,7 +184,7 @@ func runVerify(opts *Options) error { // Try verifying the attestation's predicate type against the expect SLSA predicate type if err = verifySLSAPredicateType(opts.Logger, sigstoreRes.VerifyResults); err != nil { - return fmt.Errorf("at least one attestation failed to verify predicate type verification: %w", err) + return fmt.Errorf("at least one attestation failed to verify predicate type verification: %v", err) } opts.Logger.VerbosePrint(opts.Logger.ColorScheme.Green("Successfully verified the SLSA predicate type of all attestations!\n"))