From 0a634f3951ae54d573e5fb8eaf3cf40aeab811a0 Mon Sep 17 00:00:00 2001 From: cpanato Date: Wed, 31 Aug 2022 11:10:15 +0200 Subject: [PATCH] upgrade to go1.19 Signed-off-by: cpanato --- .github/workflows/validate-release.yml | 4 ++-- .github/workflows/verify-k8s.yml | 7 +++---- .github/workflows/verify.yml | 2 +- .golangci.yml | 4 ++-- Dockerfile | 4 ++-- Dockerfile.ctfe_init | 2 +- federation/main.go | 8 ++++---- pkg/config/config.go | 5 ++--- pkg/config/config_network_test.go | 4 ++-- pkg/generated/protobuf/fulcio.pb.go | 20 ++++++------------- pkg/generated/protobuf/fulcio_grpc.pb.go | 12 +++++------ .../protobuf/legacy/fulcio_legacy.pb.go | 5 ----- pkg/server/max_bytes_test.go | 4 ++-- release/cloudbuild.yaml | 8 ++++---- 14 files changed, 37 insertions(+), 52 deletions(-) diff --git a/.github/workflows/validate-release.yml b/.github/workflows/validate-release.yml index c04288b4f..da247e6ad 100644 --- a/.github/workflows/validate-release.yml +++ b/.github/workflows/validate-release.yml @@ -30,8 +30,8 @@ jobs: permissions: {} env: - CROSS_BUILDER_IMAGE: ghcr.io/gythialy/golang-cross:v1.18.5-1@sha256:7dda2158ee68f0e4f53ca9bdf3971b2db01084dad4bdc775391e5f3bf40056a5 - COSIGN_IMAGE: gcr.io/projectsigstore/cosign:v1.10.1@sha256:9377edd13ae515dcb97c15052e577a2cbce098f36b0361bdb2348e3bdd8fe536 + CROSS_BUILDER_IMAGE: ghcr.io/gythialy/golang-cross:v1.19.1-0@sha256:8e4115486c3cc1c3da2b4f576afdc206718f61793854b79a491eb34c52ceed1a + COSIGN_IMAGE: gcr.io/projectsigstore/cosign:v1.12.0@sha256:880cc3ec8088fa59a43025d4f20961e8abc7c732e276a211cfb8b66793455dd0 steps: - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v3 diff --git a/.github/workflows/verify-k8s.yml b/.github/workflows/verify-k8s.yml index dda221f1d..2db1a524d 100644 --- a/.github/workflows/verify-k8s.yml +++ b/.github/workflows/verify-k8s.yml @@ -70,10 +70,10 @@ jobs: with: go-version: ${{ env.GOVERSION }} - - uses: imjasonh/setup-ko@ace48d793556083a76f1e3e6068850c1f4a369aa # v0.4 + - uses: imjasonh/setup-ko@ace48d793556083a76f1e3e6068850c1f4a369aa # v0.6 - name: Setup Cluster - uses: chainguard-dev/actions/setup-kind@84c993eaf02da1c325854fb272a4df9184bd80fc # main + uses: chainguard-dev/actions/setup-kind@7d1eb557f464d97e5fe5177807a9226141eb9308 # main with: k8s-version: v1.22.x registry-authority: ${{ env.REGISTRY_NAME }}:${{ env.REGISTRY_PORT }} @@ -87,7 +87,6 @@ jobs: -out "${{ github.run_id }}-cert.pem" \ -subj "/CN=ed25519" \ -days 36500 \ - -addext basicConstraints=critical,CA:TRUE,pathlen:1 \ -passout pass:"${{ github.run_id }}" - name: Deploy fulcio-system @@ -164,7 +163,7 @@ jobs: automountServiceAccountToken: false containers: - name: check-oidc - image: gcr.io/projectsigstore/cosign:v1.4.1 + image: gcr.io/projectsigstore/cosign:v1.12.0 args: [ "sign", "--fulcio-url=http://fulcio-server.fulcio-system.svc", diff --git a/.github/workflows/verify.yml b/.github/workflows/verify.yml index c6ea28f72..12af81cda 100644 --- a/.github/workflows/verify.yml +++ b/.github/workflows/verify.yml @@ -56,7 +56,7 @@ jobs: timeout-minutes: 5 with: # Required: the version of golangci-lint is required and must be specified without patch version: we always use the latest patch version. - version: v1.48.0 + version: v1.49 oidc-config: name: oidc-config diff --git a/.golangci.yml b/.golangci.yml index 2bf306d7a..2ddcd657b 100644 --- a/.golangci.yml +++ b/.golangci.yml @@ -15,7 +15,7 @@ linters: enable: - - deadcode + - unused - errcheck - gofmt - goimports @@ -36,7 +36,7 @@ issues: linters: - staticcheck text: SA1019 - - path: pkg/ca/tinkca/signer.go + - path: pkg/ca/tinkca/signer.go linters: - staticcheck text: SA1019 diff --git a/Dockerfile b/Dockerfile index 3333e2f1f..1cd3b1da3 100644 --- a/Dockerfile +++ b/Dockerfile @@ -13,7 +13,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -FROM golang:1.18.5@sha256:fb249eca1b9172732de4950b0fb0fb5c231b83c2c90952c56d822d8a9de4d64b AS builder +FROM golang:1.19.1@sha256:2d17ffd12a2cdb25d4a633ad25f8dc29608ed84f31b3b983427d825280427095 AS builder ENV APP_ROOT=/opt/app-root ENV GOPATH=$APP_ROOT @@ -28,7 +28,7 @@ RUN go build -o server main.go RUN CGO_ENABLED=1 go build -gcflags "all=-N -l" -o server_debug main.go # Multi-Stage production build -FROM golang:1.18.5@sha256:fb249eca1b9172732de4950b0fb0fb5c231b83c2c90952c56d822d8a9de4d64b as deploy +FROM golang:1.19.1@sha256:2d17ffd12a2cdb25d4a633ad25f8dc29608ed84f31b3b983427d825280427095 as deploy # Retrieve the binary from the previous stage COPY --from=builder /opt/app-root/src/server /usr/local/bin/fulcio-server diff --git a/Dockerfile.ctfe_init b/Dockerfile.ctfe_init index aab512bfe..5bb531422 100644 --- a/Dockerfile.ctfe_init +++ b/Dockerfile.ctfe_init @@ -13,7 +13,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -FROM golang:1.18.5@sha256:fb249eca1b9172732de4950b0fb0fb5c231b83c2c90952c56d822d8a9de4d64b AS builder +FROM golang:1.19.1@sha256:2d17ffd12a2cdb25d4a633ad25f8dc29608ed84f31b3b983427d825280427095 AS builder WORKDIR /root/ diff --git a/federation/main.go b/federation/main.go index 2c89f91b8..b55053581 100644 --- a/federation/main.go +++ b/federation/main.go @@ -17,7 +17,7 @@ package main import ( "encoding/json" - "io/ioutil" + "os" "path/filepath" "github.com/sigstore/fulcio/pkg/config" @@ -79,7 +79,7 @@ func main() { }, } for _, m := range matches { - b, err := ioutil.ReadFile(m) + b, err := os.ReadFile(m) if err != nil { panic(err) } @@ -106,7 +106,7 @@ func main() { } // Update the yaml - yb, err := ioutil.ReadFile("config/fulcio-config.yaml") + yb, err := os.ReadFile("config/fulcio-config.yaml") if err != nil { panic(err) } @@ -125,7 +125,7 @@ func main() { yamlWithBoilerplate := boilerPlate + string(newYaml) - if err := ioutil.WriteFile("config/fulcio-config.yaml", []byte(yamlWithBoilerplate), 0600); err != nil { + if err := os.WriteFile("config/fulcio-config.yaml", []byte(yamlWithBoilerplate), 0600); err != nil { panic(err) } } diff --git a/pkg/config/config.go b/pkg/config/config.go index 67f2c0416..f0314c3fa 100644 --- a/pkg/config/config.go +++ b/pkg/config/config.go @@ -21,7 +21,6 @@ import ( "encoding/json" "errors" "fmt" - "io/ioutil" "net/http" "net/url" "os" @@ -371,7 +370,7 @@ func Load(configPath string) (*FulcioConfig, error) { } return config, nil } - b, err := ioutil.ReadFile(configPath) + b, err := os.ReadFile(configPath) if err != nil { return nil, fmt.Errorf("read file: %w", err) } @@ -398,7 +397,7 @@ func Read(b []byte) (*FulcioConfig, error) { rootCAs = x509.NewCertPool() } const k8sCA = "/var/run/fulcio/ca.crt" - certs, err := ioutil.ReadFile(k8sCA) + certs, err := os.ReadFile(k8sCA) if err != nil { return nil, fmt.Errorf("read file: %w", err) } diff --git a/pkg/config/config_network_test.go b/pkg/config/config_network_test.go index 002030d72..52808181a 100644 --- a/pkg/config/config_network_test.go +++ b/pkg/config/config_network_test.go @@ -19,7 +19,7 @@ package config import ( "context" - "io/ioutil" + "os" "path/filepath" "testing" @@ -30,7 +30,7 @@ import ( func TestLoad(t *testing.T) { td := t.TempDir() cfgPath := filepath.Join(td, "config.json") - if err := ioutil.WriteFile(cfgPath, []byte(validCfg), 0644); err != nil { + if err := os.WriteFile(cfgPath, []byte(validCfg), 0644); err != nil { t.Fatal(err) } diff --git a/pkg/generated/protobuf/fulcio.pb.go b/pkg/generated/protobuf/fulcio.pb.go index 4a4490092..f1d26029b 100644 --- a/pkg/generated/protobuf/fulcio.pb.go +++ b/pkg/generated/protobuf/fulcio.pb.go @@ -94,10 +94,10 @@ type CreateSigningCertificateRequest struct { sizeCache protoimpl.SizeCache unknownFields protoimpl.UnknownFields - // // Identity information about who possesses the private / public key pair presented Credentials *Credentials `protobuf:"bytes,1,opt,name=credentials,proto3" json:"credentials,omitempty"` // Types that are assignable to Key: + // // *CreateSigningCertificateRequest_PublicKeyRequest // *CreateSigningCertificateRequest_CertificateSigningRequest Key isCreateSigningCertificateRequest_Key `protobuf_oneof:"key"` @@ -168,14 +168,12 @@ type isCreateSigningCertificateRequest_Key interface { } type CreateSigningCertificateRequest_PublicKeyRequest struct { - // // The public key to be stored in the requested certificate along with a signed // challenge as proof of possession of the private key. PublicKeyRequest *PublicKeyRequest `protobuf:"bytes,2,opt,name=public_key_request,json=publicKeyRequest,proto3,oneof"` } type CreateSigningCertificateRequest_CertificateSigningRequest struct { - // // PKCS#10 PEM-encoded certificate signing request // // Contains the public key to be stored in the requested certificate. All other CSR fields @@ -195,6 +193,7 @@ type Credentials struct { unknownFields protoimpl.UnknownFields // Types that are assignable to Credentials: + // // *Credentials_OidcIdentityToken Credentials isCredentials_Credentials `protobuf_oneof:"credentials"` } @@ -250,7 +249,6 @@ type isCredentials_Credentials interface { } type Credentials_OidcIdentityToken struct { - // // The OIDC token that identifies the caller OidcIdentityToken string `protobuf:"bytes,1,opt,name=oidc_identity_token,json=oidcIdentityToken,proto3,oneof"` } @@ -262,10 +260,8 @@ type PublicKeyRequest struct { sizeCache protoimpl.SizeCache unknownFields protoimpl.UnknownFields - // // The public key to be stored in the requested certificate PublicKey *PublicKey `protobuf:"bytes,1,opt,name=public_key,json=publicKey,proto3" json:"public_key,omitempty"` - // // Proof that the client possesses the private key; must be verifiable by provided public key // // This is a currently a signature over the `sub` claim from the OIDC identity token @@ -323,10 +319,8 @@ type PublicKey struct { sizeCache protoimpl.SizeCache unknownFields protoimpl.UnknownFields - // // The cryptographic algorithm to use with the key material Algorithm PublicKeyAlgorithm `protobuf:"varint,1,opt,name=algorithm,proto3,enum=dev.sigstore.fulcio.v2.PublicKeyAlgorithm" json:"algorithm,omitempty"` - // // PKIX, ASN.1 DER or PEM-encoded public key. PEM is typically // of type PUBLIC KEY. Content string `protobuf:"bytes,2,opt,name=content,proto3" json:"content,omitempty"` @@ -384,6 +378,7 @@ type SigningCertificate struct { unknownFields protoimpl.UnknownFields // Types that are assignable to Certificate: + // // *SigningCertificate_SignedCertificateDetachedSct // *SigningCertificate_SignedCertificateEmbeddedSct Certificate isSigningCertificate_Certificate `protobuf_oneof:"certificate"` @@ -459,19 +454,18 @@ func (*SigningCertificate_SignedCertificateDetachedSct) isSigningCertificate_Cer func (*SigningCertificate_SignedCertificateEmbeddedSct) isSigningCertificate_Certificate() {} // (-- api-linter: core::0142::time-field-type=disabled -// aip.dev/not-precedent: SCT is defined in RFC6962 and we keep the name consistent for easier understanding. --) +// +// aip.dev/not-precedent: SCT is defined in RFC6962 and we keep the name consistent for easier understanding. --) type SigningCertificateDetachedSCT struct { state protoimpl.MessageState sizeCache protoimpl.SizeCache unknownFields protoimpl.UnknownFields - // // The certificate chain serialized with the leaf certificate first, followed // by all intermediate certificates (if present), finishing with the root certificate. // // All values are PEM-encoded certificates. Chain *CertificateChain `protobuf:"bytes,1,opt,name=chain,proto3" json:"chain,omitempty"` - // // The Signed Certificate Timestamp (SCT) is a promise for including the certificate in // a certificate transparency log. It can be "stapled" to verify the inclusion of // a certificate in the log in an offline fashion. @@ -532,7 +526,6 @@ type SigningCertificateEmbeddedSCT struct { sizeCache protoimpl.SizeCache unknownFields protoimpl.UnknownFields - // // The certificate chain serialized with the leaf certificate first, followed // by all intermediate certificates (if present), finishing with the root certificate. // @@ -627,7 +620,6 @@ type TrustBundle struct { sizeCache protoimpl.SizeCache unknownFields protoimpl.UnknownFields - // // The set of PEM-encoded certificate chains for this Fulcio instance; each chain will start with any // intermediate certificates (if present), finishing with the root certificate. Chains []*CertificateChain `protobuf:"bytes,1,rep,name=chains,proto3" json:"chains,omitempty"` @@ -677,7 +669,6 @@ type CertificateChain struct { sizeCache protoimpl.SizeCache unknownFields protoimpl.UnknownFields - // // The PEM-encoded certificate chain, ordered from leaf to intermediate to root as applicable. Certificates []string `protobuf:"bytes,1,rep,name=certificates,proto3" json:"certificates,omitempty"` } @@ -816,6 +807,7 @@ type OIDCIssuer struct { unknownFields protoimpl.UnknownFields // Types that are assignable to Issuer: + // // *OIDCIssuer_IssuerUrl // *OIDCIssuer_WildcardIssuerUrl Issuer isOIDCIssuer_Issuer `protobuf_oneof:"issuer"` diff --git a/pkg/generated/protobuf/fulcio_grpc.pb.go b/pkg/generated/protobuf/fulcio_grpc.pb.go index 24fc07729..df8c8fb0f 100644 --- a/pkg/generated/protobuf/fulcio_grpc.pb.go +++ b/pkg/generated/protobuf/fulcio_grpc.pb.go @@ -22,13 +22,13 @@ const _ = grpc.SupportPackageIsVersion7 // // For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream. type CAClient interface { - //* + // * // Returns an X.509 certificate created by the Fulcio certificate authority for the given request parameters CreateSigningCertificate(ctx context.Context, in *CreateSigningCertificateRequest, opts ...grpc.CallOption) (*SigningCertificate, error) - //* + // * // Returns the bundle of certificates that can be used to validate code signing certificates issued by this Fulcio instance GetTrustBundle(ctx context.Context, in *GetTrustBundleRequest, opts ...grpc.CallOption) (*TrustBundle, error) - //* + // * // Returns the configuration of supported OIDC issuers, including the required challenge for each issuer. GetConfiguration(ctx context.Context, in *GetConfigurationRequest, opts ...grpc.CallOption) (*Configuration, error) } @@ -72,13 +72,13 @@ func (c *cAClient) GetConfiguration(ctx context.Context, in *GetConfigurationReq // All implementations must embed UnimplementedCAServer // for forward compatibility type CAServer interface { - //* + // * // Returns an X.509 certificate created by the Fulcio certificate authority for the given request parameters CreateSigningCertificate(context.Context, *CreateSigningCertificateRequest) (*SigningCertificate, error) - //* + // * // Returns the bundle of certificates that can be used to validate code signing certificates issued by this Fulcio instance GetTrustBundle(context.Context, *GetTrustBundleRequest) (*TrustBundle, error) - //* + // * // Returns the configuration of supported OIDC issuers, including the required challenge for each issuer. GetConfiguration(context.Context, *GetConfigurationRequest) (*Configuration, error) mustEmbedUnimplementedCAServer() diff --git a/pkg/generated/protobuf/legacy/fulcio_legacy.pb.go b/pkg/generated/protobuf/legacy/fulcio_legacy.pb.go index 9a1c95edb..c34f35399 100644 --- a/pkg/generated/protobuf/legacy/fulcio_legacy.pb.go +++ b/pkg/generated/protobuf/legacy/fulcio_legacy.pb.go @@ -44,17 +44,14 @@ type CreateSigningCertificateRequest struct { sizeCache protoimpl.SizeCache unknownFields protoimpl.UnknownFields - // // The public key to be stored in the requested certificate // // Deprecated: Do not use. PublicKey *PublicKey `protobuf:"bytes,1,opt,name=publicKey,proto3" json:"publicKey,omitempty"` - // // Proof that the client possesses the private key // // Deprecated: Do not use. SignedEmailAddress []byte `protobuf:"bytes,2,opt,name=signedEmailAddress,proto3" json:"signedEmailAddress,omitempty"` - // // Optional: PKCS#10 PEM-encoded certificate signing request // Contains the public key to be stored in the requested // certificate. All other CSR fields are ignored. Since @@ -126,12 +123,10 @@ type PublicKey struct { sizeCache protoimpl.SizeCache unknownFields protoimpl.UnknownFields - // // The cryptographic algorithm to use with the key material // // Deprecated: Do not use. Algorithm string `protobuf:"bytes,1,opt,name=algorithm,proto3" json:"algorithm,omitempty"` - // // PKIX, ASN.1 DER or PEM-encoded public key. PEM is typically // of type PUBLIC KEY. // diff --git a/pkg/server/max_bytes_test.go b/pkg/server/max_bytes_test.go index ffb0f2a4e..67a3a6076 100644 --- a/pkg/server/max_bytes_test.go +++ b/pkg/server/max_bytes_test.go @@ -16,7 +16,7 @@ package server import ( - "io/ioutil" + "io" "net/http" "net/http/httptest" "strings" @@ -26,7 +26,7 @@ import ( func TestWithMaxBytes(t *testing.T) { var maxBodySize int64 = 10 handler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { - _, err := ioutil.ReadAll(r.Body) + _, err := io.ReadAll(r.Body) if err != nil { http.Error(w, err.Error(), http.StatusBadRequest) return diff --git a/release/cloudbuild.yaml b/release/cloudbuild.yaml index e3f0d56bb..8358a983f 100644 --- a/release/cloudbuild.yaml +++ b/release/cloudbuild.yaml @@ -32,16 +32,16 @@ steps: echo "Checking out ${_GIT_TAG}" git checkout ${_GIT_TAG} -- name: 'gcr.io/projectsigstore/cosign:v1.10.1@sha256:9377edd13ae515dcb97c15052e577a2cbce098f36b0361bdb2348e3bdd8fe536' +- name: 'gcr.io/projectsigstore/cosign:v1.12.0@sha256:880cc3ec8088fa59a43025d4f20961e8abc7c732e276a211cfb8b66793455dd0' dir: "go/src/sigstore/fulcio" env: - COSIGN_EXPERIMENTAL=true - TUF_ROOT=/tmp args: - 'verify' - - 'ghcr.io/gythialy/golang-cross:v1.18.5-1@sha256:7dda2158ee68f0e4f53ca9bdf3971b2db01084dad4bdc775391e5f3bf40056a5' + - 'ghcr.io/gythialy/golang-cross:v1.19.1-0@sha256:8e4115486c3cc1c3da2b4f576afdc206718f61793854b79a491eb34c52ceed1a' -- name: ghcr.io/gythialy/golang-cross:v1.18.5-1@sha256:7dda2158ee68f0e4f53ca9bdf3971b2db01084dad4bdc775391e5f3bf40056a5 +- name: ghcr.io/gythialy/golang-cross:v1.19.1-0@sha256:8e4115486c3cc1c3da2b4f576afdc206718f61793854b79a491eb34c52ceed1a entrypoint: /bin/sh dir: "go/src/sigstore/fulcio" env: @@ -65,7 +65,7 @@ steps: gcloud auth configure-docker \ && make release -- name: ghcr.io/gythialy/golang-cross:v1.18.5-1@sha256:7dda2158ee68f0e4f53ca9bdf3971b2db01084dad4bdc775391e5f3bf40056a5 +- name: ghcr.io/gythialy/golang-cross:v1.19.1-0@sha256:8e4115486c3cc1c3da2b4f576afdc206718f61793854b79a491eb34c52ceed1a entrypoint: 'bash' dir: "go/src/sigstore/fulcio" env: