diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 7c4b25c8..b8d7dbdf 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -11,7 +11,7 @@ on:
 
 env:
   DESTDIR: ./bin
-  GO_VERSION: 1.16.7
+  GO_VERSION: 1.18.5
 
 jobs:
   validate:
@@ -20,6 +20,7 @@ jobs:
       fail-fast: false
       matrix:
         target:
+          - lint
           - validate-vendor
     steps:
       -
@@ -58,9 +59,37 @@ jobs:
         run: |
           sudo apt-get update
           sudo apt-get install -y dbus-x11 gnome-keyring libsecret-1-dev pass
+      -
+        name: GPG conf
+        if: ${{ matrix.os == 'ubuntu-20.04' }}
+        uses: actions/github-script@v6
+        id: gpg
+        with:
+          script: |
+            const fs = require('fs');
+            const gnupgfolder = `${require('os').homedir()}/.gnupg`;
+            if (!fs.existsSync(gnupgfolder)){
+              fs.mkdirSync(gnupgfolder);
+            }
+            fs.copyFile('.github/workflows/fixtures/gpg.conf', `${gnupgfolder}/gpg.conf`, (err) => {
+              if (err) throw err;
+            });
+            core.setOutput('key', fs.readFileSync('.github/workflows/fixtures/7D851EB72D73BDA0.key', {encoding: 'utf8'}));
+            core.setOutput('passphrase', fs.readFileSync('.github/workflows/fixtures/7D851EB72D73BDA0.pass', {encoding: 'utf8'}));
+      -
+        name: Import GPG key
+        if: ${{ matrix.os == 'ubuntu-20.04' }}
+        uses: crazy-max/ghaction-import-gpg@v5
+        with:
+          gpg_private_key: ${{ steps.gpg.outputs.key }}
+          passphrase: ${{ steps.gpg.outputs.passphrase }}
       -
         name: Test
         run: |
+          if [ "${{ matrix.os }}" = "ubuntu-20.04" ]; then
+            echo -e "trust\n5\ny" | gpg --batch --no-tty --command-fd 0 --edit-key 7D851EB72D73BDA0
+            pass init 7D851EB72D73BDA0
+          fi
           go test -short -v -coverprofile=./coverage.txt -covermode=atomic ./...
           go tool cover -func=./coverage.txt
         shell: bash
diff --git a/.github/workflows/fixtures/7D851EB72D73BDA0.key b/.github/workflows/fixtures/7D851EB72D73BDA0.key
new file mode 100644
index 00000000..68172737
--- /dev/null
+++ b/.github/workflows/fixtures/7D851EB72D73BDA0.key
@@ -0,0 +1,106 @@
+-----BEGIN PGP PRIVATE KEY BLOCK-----
+
+lQdGBF6tzaABEACjFbX7PFEG6vDPN2MPyxYW7/3o/sonORj4HXUFjFxxJxktJ3x3
+N1ayHPJ1lqIeoiY7jVbq0ZdEVGkd3YsKG9ZMdZkzGzY6PQPC/+M8OnzOiOPwUdWc
++Tdhh115LvVz0MMKYiab6Sn9cgxj9On3LCQKpjvMDpPo9Ttf6v2GQIw8h2ACvdzQ
+71LtIELS/I+dLbfZiwpUu2fhQT13EJkEnYMOYwM5jNUd66P9itUc7MrOWjkicrKP
+oF1dQaCM+tuKuxvD8WLdiwU5x60NoGkJHHUehKQXl2dVzjpqEqHKEBJt9tfJ9lpE
+YIisgwB8o3pes0fgCehjW2zI95/o9+ayJ6nl4g5+mSvWRXEu66h71nwM0Yuvquk8
+3me7qhYfDrDdCwcxS5BS1hwakTgUQLD99FZjbx1j8sq96I65O0GRdyU2PR8KIjwu
+JrkTH4ZlKxK3FQghUhFoA5GkiDb+eClmRMSni5qg+81T4XChmUkEprA3eWCHL+Ma
+xRNNxLS+r6hH9HG5JBxpV3iaTI9HHpnQKhEeaLXqsUTDZliN9hP7Ywo8bpUB8j2d
+oWYwDV4dPyMKr6Fb8RDCh2q5gJGbVp8w/NmmBTeL+IP2fFggJkRfyumv3Ul7x66L
+tBFQ4rYo4JUUrGweSTneG6REIgxH66hIrNl6Vo/D1ZyknTe1dMOu/BTkkQARAQAB
+/gcDAqra8KO+h3bfyu90vxTL1ro4x/x9il7VBcWlIR4cBP7Imgxv+T4hwPIu8P1x
+lOlxLNWegFOV0idoTy1o3VLLBev/F+IlspX4A+2XEIddR6nZnKFi0Lv2L4TKgE9E
+VJJTszmviDIRLMLN9dWzDfA8hj5tR5Inot92CHRF414AS22JHvlhbFSLQnjqsN+C
+n1cQpNOJhkxsSfZsxjnFa/70y/u8v0o8mzyLZmk9HpzRHGzoz8IfpLp8OTqBR9u6
+zzoKLy16zZO55OKbj7h8uVZvDUq9l8iDICpqWMdZqBJIl56MBexYKgYxh3YO/8v2
+oXli+8Xuaq5QLiCN3yT7IbKoYzplnFfaJwFiMh7R1iPLXaYAZ0qdRijlbtseTK1m
+oHNkwUbxVzjkh4LfE8UpmMwZn5ZjWni3230SoiXuKy0OHkGvwGvWWAL1mEuoYuUI
+mFMcH5MnixP8oQYZKDj2IR/yEeOpdU6B/tr3Tk1NidLf7pUMqG7Ff1NU6dAUeBpa
+9xahITMjHvrhgMISY4IYZep5cEnVw8lQTpUJtW/ePMzrFhu3sA7oNdj9joW/VMfz
+H7MHwwavtICsYqoqV3lnjX4EC9dW6o8PTUg2u956dmtK7KAyUK/+w2aLNGT28ChN
+jhRYHvHzB9Kw5asqI/lTM49eqslBqYQMTTjdBphkYuSZQzNMf291j/ZmoLhD1A1a
+S8tUnNygKV4D1cJYgSXfzhFoU8ib/0SPo+KqQ+CzGS+wxXg6WNBA6wepTjpnVVx3
+4JADP8IJcDC3P0iwAreWjSy15F1cvemFFB0SLNUkyZGzsxtKzbM1+8khl68+eazC
+LzRj0rxfIF5znWjX1QFhKxCk6eF0IWDY0+b3DBkmChME9YDXJ3TthcqA7JgcX4JI
+M4/wdqhgerJYOmj+i2Q0M+Bu02icOJYMwTMMsDVl7XGHkaCuRgZ54eZAUH7JFwUm
+1Ct3tcaqiTMmz0ngHVqBTauzgqKDvzwdVqdfg05H364nJMay/3omR6GayIb5CwSo
+xdNVwG3myPPradT9MP09mDr4ys2zcnQmCkvTVBF6cMZ1Eh6PQQ8CyQWv0zkaBnqj
+JrM1hRpgW4ZlRosSIjCaaJjolN5QDcXBM9TbW9ww+ZYstazN2bV1ZQ7BEjlHQPa1
+BhzMsvqkbETHsIpDNF52gZKn3Q9eIX05BeadzpHUb5/XOheIHVIdhSaTlgl/qQW5
+hQgPGSzSV6KhXEY7aevTdvOgq++WiELkjfz2f2lQFesTjFoQWEvxVDUmLxHtEhaN
+DOuh4H3mX5Opn3pLQmqWVhJTbFdx+g5qQd0NCW4mDaTFWTRLFLZQsSJxDSeg9xrY
+gmaii8NhMZRwquADW+6iU6KfraBhngi7HRz4TfqPr9ma/KUY464cqim1fnwXejyx
+jsb5YHR9R66i+F6P/ysF5w+QuVdDt1fnf9GLay0r6qxpA8ft2vGPcDs4806Huj+7
+Aq5VeJaNkCuh3GR3xVnCFAz/7AtkO6xKuZm8B3q904UuMdSmkhWbaobIuF/B2B6S
+eawIXQHEOplK3ic26d8Ckf4gbjeORfELcMAEi5nGXpTThCdmxQApCLxAYYnTfQT1
+xhlDwT9xPEabo98mIwJJsAU5VsTDYW+qfo4qIx8gYoSKc9Xu3yVh3n+9k43Gcm5V
+9lvK1slijf+TzODZt/jsmkF8mPjXyP5KOI+xQp/m4PxW3pp57YrYj/Rnwga+8DKX
+jMsW7mLAAZ/e+PY6z/s3x1Krfk+Bb5Ph4mI0zjw5weQdtyEToRgveda0GEpvZSBU
+ZXN0ZXIgPGpvZUBmb28uYmFyPokCNgQQAQgAIAUCXq3NoAYLCQcIAwIEFQgKAgQW
+AgEAAhkBAhsDAh4BAAoJEH2FHrctc72gxtQP/AulaClIcn/kDt43mhYnyLglPfbo
+AqPlU26chXolBg0Wo0frFY3aIs5SrcWEf8aR4XLwCFGyi3vya0CUxjghN5tZBYqo
+vswbT00zP3ohxxlJFCRRR9bc7OZXCgTddtfVf6EKrUAzIkbWyAhaJnwJy/1UGpSw
+SEO/KpastrVKf3sv1wqOeFQ4DFyjaNda+xv3dVWS8db7KogqJiPFZXrQK3FKVIxS
+fxRSmKaYN7//d+xwVAEY++RrnL/o8B2kV6N68cCpQWJELyYnJzis9LBcWd/3wiYh
+efTyY+ePKUjcB+kEZnyJfLc7C2hll2e7UJ0fxv+k8vHReRhrNWmGRXsjNRxiw3U0
+hfvxD/C8nyqAbeTHp4XDX78Tc3XCysAqIYboIL+RyewDMjjLj5vzUYAdUdtyNaD7
+C6M2R6pN1GAt52CJmC/Z6F7W7GFGoYOdEkVdMQDsjCwScyEUNlGj9Zagw5M2EgSe
+6gaHgMgTzsMzCc4W6WV5RcS55cfDNOXtxPsMJTt4FmXrjl11prBzpMfpU5a9zxDZ
+oi54ZZ8VPE6jsT4Lzw3sni3c83wm28ArM20AzZ1vh7fk3Sfd0u4Yaz7s9JlEm5+D
+34tEyli28+QjCQc18EfQUiJqiYEJRxJXJ3esvMHfYi45pV/Eh5DgRW1305fUJV/6
++rGpg0NejsHoZdZPnQdGBF6tzaABEAC4mVXTkVk6Kdfa4r5zlzsoIrR27laUlMkb
+OBMt+aokqS+BEbmTnMg6xIAmcUT5uvGAc8S/WhrPoYfc15fTUyHIz8ZbDoAg0LO6
+0Io4VkAvNJNEnsSV9VdLBh/XYlc4K49JqKyWTL4/FJFAGbsmHY3b+QU90AS6FYRv
+KeBAoiyebrjx0vmzb8E8h3xthVLN+AfMlR1ickY62zvnpkbncSMY/skur1D2KfbF
+3sFprty2pEtjFcyB5+18l2IyyHGOlEUw1PZdOAV4/Myh1EZRgYBPs80lYTJALCVF
+IdOakH33WJCImtNZB0AbDTABG+JtMjQGscOa0qzf1Y/7tlhgCrynBBdaIJTx95TD
+21BUHcHOu5yTIS6Ulysxfkv611+BiOKHgdq7DVGP78VuzA7bCjlP1+vHqIt3cnIa
+t2tEyuZ/XF4uc3/i4g0uP9r7AmtET7Z6SKECWjpVv+UEgLx5Cv+ql+LSKYQMvU9a
+i3B1F9fatn3FSLVYrL4aRxu4TSw9POb0/lgDNmN3lGQOsjGCZPibkHjgPEVxKuiq
+9Oi38/VTQ0ZKAmHwBTq1WTZIrPrCW0/YMQ6yIJZulwQ9Yx1cgzYzEfg04fPXlXMi
+vkvNpKbYIICzqj0/DVztz9wgpW6mnd0A2VX2dqbMM0fJUCHA6pj8AvXY4R+9Q4rj
+eWRK9ycInQARAQAB/gcDApjt7biRO0PEyrrAiUwDMsJL4/CVMu11qUWEPjKe2Grh
+ZTW3N+m3neKPRULu+LUtndUcEdVWUCoDzAJ7MwihZtV5vKST/5Scd2inonOaJqoA
+nS3wnEMN/Sc93HAZiZnFx3NKjQVNCwbuEs45mXkkcjLm2iadrTL8fL4acsu5IsvD
+LbDwVOPeNnHKl6Hr20e39fK0FuJEyH49JM6U3B1/8385sJB8+E24+hvSF81aMddh
+Ne4Bc3ZYiYaKxe1quPNKC0CQhAZiT7LsMfkInXr0hY1I+kISNXEJ1dPYOEWiv0Ze
+jD5Pupn34okKNEeBCx+dK8BmUCi6Jgs7McUA7hN0D/YUS++5fuR55UQq2j8Ui0tS
+P8GDr86upH3PgEL0STh9fYfJ7TesxurwonWjlmmT62Myl4Pr+RmpS6PXOnhtcADm
+eGLpzhTveFj4JBLMpyYHgBTqcs12zfprATOpsI/89kmQoGCZpG6+AbfSHqNNPdy2
+eqUCBhOZlIIda1z/cexmU3f/gBqyflFf8fkvmlO4AvI8aMH3OpgHdWnzh+AB51xj
+kmdD/oWel9v7Dz4HoZUfwFaLZ0fE3P9voD8e+sCwqQwVqRY4L/BOYPD5noVOKgOj
+ABNKu5uKrobj6rFUi6DTUCjFGcmoF1Sc06xFNaagUNggRbmlC/dz22RWdDUYv5ra
+N6TxIDkGC0cK6ujyK0nes3DN0aHjgwWuMXDYkN3UckiebI4Cv/eF9jvUKOSiIcy1
+RtxdazZS4dYg2LBMeJKVkPi5elsNyw2812nEY3du/nEkQYXfYgWOF27OR+g4Y9Yw
+1BiqJ1TTjbQnd/khOCrrbzDH1mw00+1XVsT6wjObuYqqxPPS87UrqmMf6OdoYfPm
+zEOnNLBnsJ5VQM3A3pcT40RfdBrZRO8LjGhzKTreyq3C+jz0RLa5HNE8GgOhGyck
+ME4h+RhXlE8KGM+tTo6PA1NJSrEt+8kZzxjP4rIEn0aVthCkNXK12inuXtnHm0ao
+iLUlQOsfPFEnzl0TUPd7+z7j/wB+XiKU/AyEUuB0mvdxdKtqXvajahOyhLjzHQhz
+ZnNlgANGtiqcSoJmkJ8yAvhrtQX51fQLftxbArRW1RYk/5l+Gy3azR+gUC17M6JN
+jrUYxn0zlAxDGFH7gACHUONwVekcuEffHzgu2lk7MyO1Y+lPnwabqjG0eWWHuU00
+hskJlXyhj7DeR12bwjYkyyjG62GvOH02g3OMvUgNGH+K321Dz539csCh/xwtg7Wt
+U3YAphU7htQ1dPDfk1IRs7DQo2L+ZTE57vmL5m0l6fTataEWBPUXkygfQFUJOM6Q
+yY76UEZww1OSDujNeY171NSTzXCVkUeAdAMXgjaHXWLK2QUQUoXbYX/Kr7Vvt9Fu
+Jh6eGjjp7dSjQ9+DW8CAB8vxd93gsQQGWYjmGu8khkEmx6OdZhmSbDbe915LQTb9
+sPhk2s5/Szsvr5W2JJ2321JI6KXBJMZvPC5jEBWmRzOYkRd2vloft+CSMfXF+Zfd
+nYtc6R3dvb9vcjo+a9wFtfcoDsO0MaPSM+9GB25MamdatmGX6iLOy9Re1UABwUi/
+VhTWNkP5uzqx0sDwHEIa2rYOwxpIZDwwjM3oOASCW1DDBQ0BI9KNjfIeL3ubx2mS
+2x8hFU9qSK4umoDNbzOqGPSlkdbiPcNjF2ZcSN1qQZiYdwLL5dw6APNyBVjxTN1J
+gkCdJ/HwAY+r93Lbl5g8gz8d0vJEyfn//34sn9u+toSTw55GcG9Ks1kSKIeDNh0h
+MiPm3HmJAh8EGAEIAAkFAl6tzaACGwwACgkQfYUety1zvaBV9hAAgliX36pXJ59g
+3I9/4R68e/fGg0FMM6D+01yCeiKApOYRrJ0cYKn7ITDYmHhlGGpBAie90UsqX12h
+hdLP7LoQx7sjTyzQt6JmpA8krIwi2ON7FKBkdYb8IYx4mE/5vKnYT4/SFnwTmnZY
++m+NzK2U/qmhq8JyO8gozdAKJUcgz49IVv2Ij0tQ4qaPbyPwQxIDyKnT758nJhB1
+jTqo+oWtER8q3okzIlqcArqn5rDaNJx+DRYL4E/IddyHQAiUWUka8usIUqeW5reu
+zoPUE2CCfOJSGArkqHQQqMx0WEzjQTwAPaHrQbera4SbiV/o4CLCV/u5p1Qnig+Q
+iUsakmlD299t//125LIQEa5qzd9hRC7u1uJS7VdW8eGIEcZ0/XT/sr+z23z0kpZH
+D3dXPX0BwM4IP9xu31CNg10x0rKwjbxy8VaskFEelpqpu+gpAnxqMd1evpeUHcOd
+r5RgPgkNFfba9Nbxf7uEX+HOmsOM+kdtSmdGIvsBZjVnW31nnoDMp49jG4OynjrH
+cRuoM9sxdr6UDqb22CZ3/e0YN4UaZM3YDWMVaP/QBVgvIFcdByqNWezpd9T4ZUII
+MZlaV1uRnHg6B/zTzhIdMM80AXz6Uv6kw4S+Lt7HlbrnMT7uKLuvzH7cle0hcIUa
+PejgXO0uIRolYQ3sz2tMGhx1MfBqH64=
+=WbwB
+-----END PGP PRIVATE KEY BLOCK-----
\ No newline at end of file
diff --git a/.github/workflows/fixtures/7D851EB72D73BDA0.pass b/.github/workflows/fixtures/7D851EB72D73BDA0.pass
new file mode 100644
index 00000000..ba6352f5
--- /dev/null
+++ b/.github/workflows/fixtures/7D851EB72D73BDA0.pass
@@ -0,0 +1 @@
+with stupid passphrase
\ No newline at end of file
diff --git a/ci/before_script_linux.sh b/.github/workflows/fixtures/generate.sh
similarity index 59%
rename from ci/before_script_linux.sh
rename to .github/workflows/fixtures/generate.sh
index 9fc0ea2d..2f2af822 100644
--- a/ci/before_script_linux.sh
+++ b/.github/workflows/fixtures/generate.sh
@@ -1,9 +1,6 @@
+#!/usr/bin/env sh
 set -ex
 
-sh -e /etc/init.d/xvfb start
-sleep 3 # give xvfb some time to start
-
-# init key for pass
 gpg --batch --gen-key <<-EOF
 %echo Generating a standard key
 Key-Type: DSA
@@ -17,6 +14,3 @@ Expire-Date: 0
 %commit
 %echo done
 EOF
-
-key=$(gpg --no-auto-check-trustdb --list-secret-keys | grep ^sec | cut -d/ -f2 | cut -d" " -f1)
-pass init $key
diff --git a/.github/workflows/fixtures/gpg-agent.conf b/.github/workflows/fixtures/gpg-agent.conf
new file mode 100644
index 00000000..a56651c2
--- /dev/null
+++ b/.github/workflows/fixtures/gpg-agent.conf
@@ -0,0 +1,3 @@
+default-cache-ttl 21600
+max-cache-ttl 31536000
+allow-preset-passphrase
\ No newline at end of file
diff --git a/.github/workflows/fixtures/gpg.conf b/.github/workflows/fixtures/gpg.conf
new file mode 100644
index 00000000..4418c056
--- /dev/null
+++ b/.github/workflows/fixtures/gpg.conf
@@ -0,0 +1,71 @@
+################################################################################
+# GnuPG Options
+
+# (OpenPGP-Configuration-Options)
+# Assume that command line arguments are given as UTF8 strings.
+utf8-strings
+
+# (OpenPGP-Protocol-Options)
+# Set the list of personal digest/cipher/compression preferences. This allows
+# the user to safely override the algorithm chosen by the recipient key
+# preferences, as GPG will only select an algorithm that is usable by all
+# recipients.
+personal-digest-preferences SHA512 SHA384 SHA256 SHA224
+personal-cipher-preferences AES256 AES192 AES CAST5 CAMELLIA192 BLOWFISH TWOFISH CAMELLIA128 3DES
+personal-compress-preferences ZLIB BZIP2 ZIP
+
+# Set the list of default preferences to string. This preference list is used
+# for new keys and becomes the default for "setpref" in the edit menu.
+default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed
+
+# (OpenPGP-Esoteric-Options)
+# Use name as the message digest algorithm used when signing a key. Running the
+# program with the command --version yields a list of supported algorithms. Be
+# aware that if you choose an algorithm that GnuPG supports but other OpenPGP
+# implementations do not, then some users will not be able to use the key
+# signatures you make, or quite possibly your entire key.
+#
+# SHA-1 is the only algorithm specified for OpenPGP V4. By changing the
+# cert-digest-algo, the OpenPGP V4 specification is not met but with even
+# GnuPG 1.4.10 (release 2009) supporting SHA-2 algorithm, this should be safe.
+# Source: https://tools.ietf.org/html/rfc4880#section-12.2
+cert-digest-algo SHA512
+digest-algo SHA256
+
+# Selects how passphrases for symmetric encryption are mangled. 3 (the default)
+# iterates the whole process a number of times (see --s2k-count).
+s2k-mode 3
+
+# (OpenPGP-Protocol-Options)
+# Use name as the cipher algorithm for symmetric encryption with a passphrase
+# if --personal-cipher-preferences and --cipher-algo are not given. The
+# default is AES-128.
+s2k-cipher-algo AES256
+
+# (OpenPGP-Protocol-Options)
+# Use name as the digest algorithm used to mangle the passphrases for symmetric
+# encryption. The default is SHA-1.
+s2k-digest-algo SHA512
+
+# (OpenPGP-Protocol-Options)
+# Specify how many times the passphrases mangling for symmetric encryption is
+# repeated. This value may range between 1024 and 65011712 inclusive. The
+# default is inquired from gpg-agent. Note that not all values in the
+# 1024-65011712 range are legal and if an illegal value is selected, GnuPG will
+# round up to the nearest legal value. This option is only meaningful if
+# --s2k-mode is set to the default of 3.
+s2k-count 1015808
+
+################################################################################
+# GnuPG View Options
+
+# Select how to display key IDs. "long" is the more accurate (but less
+# convenient) 16-character key ID. Add an "0x" to include an "0x" at the
+# beginning of the key ID.
+keyid-format 0xlong
+
+# List all keys with their fingerprints. This is the same output as --list-keys
+# but with the additional output of a line with the fingerprint. If this
+# command is given twice, the fingerprints of all secondary keys are listed too.
+with-fingerprint
+with-fingerprint
diff --git a/.golangci.yml b/.golangci.yml
new file mode 100644
index 00000000..930e66a6
--- /dev/null
+++ b/.golangci.yml
@@ -0,0 +1,35 @@
+run:
+  timeout: 10m
+  modules-download-mode: vendor
+
+linters:
+  enable:
+    - gofmt
+    - govet
+    - deadcode
+    - depguard
+    - goimports
+    - ineffassign
+    - misspell
+    - unused
+    - varcheck
+    - revive
+    - staticcheck
+    - typecheck
+    - structcheck
+  disable-all: true
+
+linters-settings:
+  depguard:
+    list-type: blacklist
+    include-go-root: true
+    packages:
+      # The io/ioutil package has been deprecated.
+      # https://go.dev/doc/go1.16#ioutil
+      - io/ioutil
+
+issues:
+  exclude-rules:
+    - linters:
+        - revive
+      text: "stutters"
diff --git a/.travis.yml b/.travis.yml
deleted file mode 100644
index 7bd675af..00000000
--- a/.travis.yml
+++ /dev/null
@@ -1,24 +0,0 @@
----
-  # See appveyor.yml for windows build.
-  sudo: required
-  language: go
-  dist: trusty
-  osx_image: xcode10.1
-  os:
-    - linux
-    - osx
-  notifications:
-    email: false
-  go:
-    - 1.12.x
-  addons:
-    apt:
-      packages:
-        - libsecret-1-dev
-        - pass
-  before_script:
-    - make deps
-    - "export DISPLAY=:99.0"
-    - if [[ "$TRAVIS_OS_NAME" == "linux" ]]; then sh ci/before_script_linux.sh; fi
-    - make validate
-  script: make test
diff --git a/Dockerfile b/Dockerfile
index 85845fdb..219b8f20 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -3,6 +3,7 @@
 ARG GO_VERSION=1.18.5
 ARG XX_VERSION=1.1.2
 ARG OSXCROSS_VERSION=11.3-r7-alpine
+ARG GOLANGCI_LINT_VERSION=v1.47.3
 
 ARG PKG=github.com/docker/docker-credential-helpers
 
@@ -48,6 +49,14 @@ RUN --mount=type=bind,target=.,rw <<EOT
   fi
 EOT
 
+FROM golangci/golangci-lint:${GOLANGCI_LINT_VERSION}-alpine AS golangci-lint
+FROM gobase AS lint
+RUN apk add musl-dev gcc libsecret-dev pass
+RUN --mount=type=bind,target=. \
+    --mount=type=cache,target=/root/.cache \
+    --mount=from=golangci-lint,source=/usr/bin/golangci-lint,target=/usr/bin/golangci-lint \
+    golangci-lint run ./...
+
 FROM gobase AS version
 ARG PKG
 RUN --mount=target=. \
@@ -60,16 +69,28 @@ ARG TARGETPLATFORM
 RUN xx-apk add musl-dev gcc libsecret-dev pass
 
 FROM base AS test
+RUN xx-apk add gnome-keyring gpg-agent gnupg-gpgconf pass
 RUN --mount=type=bind,target=. \
     --mount=type=cache,target=/root/.cache \
     --mount=type=cache,target=/go/pkg/mod <<EOT
   set -e
-  xx-go test -short -v -coverprofile=/tmp/coverage.txt -covermode=atomic ./...
-  xx-go tool cover -func=/tmp/coverage.txt
+  cp -r .github/workflows/fixtures /root/.gnupg
+  gpg-connect-agent "RELOADAGENT" /bye
+  gpg --import --batch --yes /root/.gnupg/7D851EB72D73BDA0.key
+  echo -e "trust\n5\ny" | gpg --batch --no-tty --command-fd 0 --edit-key 7D851EB72D73BDA0
+  gpg-connect-agent "PRESET_PASSPHRASE 3E2D1142AA59E08E16B7E2C64BA6DDC773B1A627 -1 77697468207374757069642070617373706872617365" /bye
+  gpg-connect-agent "KEYINFO 3E2D1142AA59E08E16B7E2C64BA6DDC773B1A627" /bye
+  gpg-connect-agent "PRESET_PASSPHRASE BA83FC8947213477F28ADC019F6564A956456163 -1 77697468207374757069642070617373706872617365" /bye
+  gpg-connect-agent "KEYINFO BA83FC8947213477F28ADC019F6564A956456163" /bye
+  pass init 7D851EB72D73BDA0
+
+  mkdir /out
+  xx-go test -short -v -coverprofile=/out/coverage.txt -covermode=atomic ./...
+  xx-go tool cover -func=/out/coverage.txt
 EOT
 
 FROM scratch AS test-coverage
-COPY --from=test /tmp/coverage.txt /coverage.txt
+COPY --from=test /out /
 
 FROM base AS build-linux
 ARG TARGETOS
diff --git a/Makefile b/Makefile
index 2f29c749..8a333fa0 100644
--- a/Makefile
+++ b/Makefile
@@ -1,13 +1,9 @@
-.PHONY: all deps osxkeychain secretservice test validate wincred pass deb
+.PHONY: all osxkeychain secretservice test lint validate-vendor fmt validate wincred pass deb vendor
 
-TRAVIS_OS_NAME ?= linux
 VERSION := $(shell grep 'const Version' credentials/version.go | awk -F'"' '{ print $$2 }')
 
 all: test
 
-deps:
-	go get -u golang.org/x/lint/golint
-
 clean:
 	rm -rf bin
 	rm -rf release
@@ -50,28 +46,16 @@ test:
 	# tests all packages except vendor
 	go test -v `go list ./... | grep -v /vendor/`
 
-vet: vet_$(TRAVIS_OS_NAME)
-	go vet ./credentials
-
-vet_win:
-	go vet ./wincred
-
-vet_osx:
-	go vet ./osxkeychain
-
-vet_linux:
-	go vet ./secretservice
-
 lint:
-	for p in `go list ./... | grep -v /vendor/`; do \
-		golint $$p ; \
-	done
+	docker buildx bake lint
+
+validate-vendor:
+	docker buildx bake vendor-validate
 
 fmt:
 	gofmt -s -l `ls **/*.go | grep -v vendor`
 
-validate: vet lint fmt
-
+validate: lint validate-vendor fmt
 
 BUILDIMG:=docker-credential-secretservice-$(VERSION)
 deb:
@@ -84,14 +68,9 @@ deb:
 	docker run --rm --net=none $(BUILDIMG) tar cf - /release | tar xf -
 	docker rmi $(BUILDIMG)
 
-.PHONY: vendor
 vendor:
 	$(eval $@_TMP_OUT := $(shell mktemp -d -t docker-output.XXXXXXXXXX))
 	docker buildx bake --set "*.output=type=local,dest=$($@_TMP_OUT)" vendor
 	rm -rf ./vendor
 	cp -R "$($@_TMP_OUT)"/* .
 	rm -rf "$($@_TMP_OUT)"
-
-.PHONY: validate-vendor
-validate-vendor:
-	docker buildx bake vendor-validate
diff --git a/client/client_test.go b/client/client_test.go
index 649c1ae4..693faaa0 100644
--- a/client/client_test.go
+++ b/client/client_test.go
@@ -4,7 +4,6 @@ import (
 	"encoding/json"
 	"fmt"
 	"io"
-	"io/ioutil"
 	"strings"
 	"testing"
 
@@ -32,7 +31,7 @@ type mockProgram struct {
 // Output returns responses from the remote credentials helper.
 // It mocks those responses based in the input in the mock.
 func (m *mockProgram) Output() ([]byte, error) {
-	in, err := ioutil.ReadAll(m.input)
+	in, err := io.ReadAll(m.input)
 	if err != nil {
 		return nil, err
 	}
@@ -108,8 +107,8 @@ func ExampleStore() {
 
 func TestStore(t *testing.T) {
 	valid := []credentials.Credentials{
-		{validServerAddress, "foo", "bar"},
-		{validServerAddress2, "<token>", "abcd1234"},
+		{ServerURL: validServerAddress, Username: "foo", Secret: "bar"},
+		{ServerURL: validServerAddress2, Username: "<token>", Secret: "abcd1234"},
 	}
 
 	for _, v := range valid {
@@ -119,7 +118,7 @@ func TestStore(t *testing.T) {
 	}
 
 	invalid := []credentials.Credentials{
-		{invalidServerAddress, "foo", "bar"},
+		{ServerURL: invalidServerAddress, Username: "foo", Secret: "bar"},
 	}
 
 	for _, v := range invalid {
@@ -142,8 +141,8 @@ func ExampleGet() {
 
 func TestGet(t *testing.T) {
 	valid := []credentials.Credentials{
-		{validServerAddress, "foo", "bar"},
-		{validServerAddress2, "<token>", "abcd1234"},
+		{ServerURL: validServerAddress, Username: "foo", Secret: "bar"},
+		{ServerURL: validServerAddress2, Username: "<token>", Secret: "abcd1234"},
 	}
 
 	for _, v := range valid {
diff --git a/docker-bake.hcl b/docker-bake.hcl
index 80ecf322..4cc91aef 100644
--- a/docker-bake.hcl
+++ b/docker-bake.hcl
@@ -22,15 +22,23 @@ group "default" {
 }
 
 group "validate" {
-  targets = ["vendor-validate"]
+  targets = ["lint", "vendor-validate"]
+}
+
+target "lint" {
+  inherits = ["_common"]
+  target = "lint"
+  output = ["type=cacheonly"]
 }
 
 target "vendor-validate" {
+  inherits = ["_common"]
   target = "vendor-validate"
   output = ["type=cacheonly"]
 }
 
 target "vendor" {
+  inherits = ["_common"]
   target = "vendor-update"
   output = ["."]
 }
diff --git a/pass/pass.go b/pass/pass.go
index 5750a786..6cce15d4 100644
--- a/pass/pass.go
+++ b/pass/pass.go
@@ -9,7 +9,7 @@ import (
 	"encoding/base64"
 	"errors"
 	"fmt"
-	"io/ioutil"
+	"io/fs"
 	"os"
 	"os/exec"
 	"path"
@@ -20,7 +20,7 @@ import (
 )
 
 // PASS_FOLDER contains the directory where credentials are stored
-const PASS_FOLDER = "docker-credential-helpers" //nolint: golint
+const PASS_FOLDER = "docker-credential-helpers" //nolint:revive
 
 // Pass handles secrets using Linux secret-service as a store.
 type Pass struct{}
@@ -116,16 +116,22 @@ func getPassDir() string {
 func listPassDir(args ...string) ([]os.FileInfo, error) {
 	passDir := getPassDir()
 	p := path.Join(append([]string{passDir, PASS_FOLDER}, args...)...)
-	contents, err := ioutil.ReadDir(p)
+	entries, err := os.ReadDir(p)
 	if err != nil {
 		if os.IsNotExist(err) {
 			return []os.FileInfo{}, nil
 		}
-
 		return nil, err
 	}
-
-	return contents, nil
+	infos := make([]fs.FileInfo, 0, len(entries))
+	for _, entry := range entries {
+		info, err := entry.Info()
+		if err != nil {
+			return nil, err
+		}
+		infos = append(infos, info)
+	}
+	return infos, nil
 }
 
 // Get returns the username and secret to use for a given registry server URL.