diff --git a/cmd/cosign/cli/attach/attestation.go b/cmd/cosign/cli/attach/attestation.go index e6f35c7527c..9f928969b4a 100644 --- a/cmd/cosign/cli/attach/attestation.go +++ b/cmd/cosign/cli/attach/attestation.go @@ -21,7 +21,6 @@ import ( "os" "github.com/google/go-containerregistry/pkg/name" - "github.com/pkg/errors" ssldsse "github.com/secure-systems-lab/go-securesystemslib/dsse" "github.com/sigstore/cosign/cmd/cosign/cli/options" "github.com/sigstore/cosign/pkg/oci/mutate" @@ -33,7 +32,7 @@ import ( func AttestationCmd(ctx context.Context, regOpts options.RegistryOptions, signedPayload, imageRef string) error { ociremoteOpts, err := regOpts.ClientOpts(ctx) if err != nil { - return errors.Wrap(err, "constructing client options") + return fmt.Errorf("constructing client options: %w", err) } fmt.Fprintln(os.Stderr, "Using payload from:", signedPayload) diff --git a/cmd/cosign/cli/attest.go b/cmd/cosign/cli/attest.go index ffc30866681..13182b93d31 100644 --- a/cmd/cosign/cli/attest.go +++ b/cmd/cosign/cli/attest.go @@ -16,7 +16,8 @@ package cli import ( - "github.com/pkg/errors" + "fmt" + "github.com/spf13/cobra" "github.com/sigstore/cosign/cmd/cosign/cli/attest" @@ -79,7 +80,7 @@ func Attest() *cobra.Command { for _, img := range args { if err := attest.AttestCmd(cmd.Context(), ko, o.Registry, img, o.Cert, o.CertChain, o.NoUpload, o.Predicate.Path, o.Force, o.Predicate.Type, o.Replace, ro.Timeout); err != nil { - return errors.Wrapf(err, "signing %s", img) + return fmt.Errorf("signing %s: %w", img, err) } } return nil diff --git a/cmd/cosign/cli/attest/attest.go b/cmd/cosign/cli/attest/attest.go index 473064b376f..2442f766e6d 100644 --- a/cmd/cosign/cli/attest/attest.go +++ b/cmd/cosign/cli/attest/attest.go @@ -26,7 +26,6 @@ import ( "github.com/google/go-containerregistry/pkg/name" v1 "github.com/google/go-containerregistry/pkg/v1" - "github.com/pkg/errors" "github.com/sigstore/cosign/cmd/cosign/cli/options" "github.com/sigstore/cosign/cmd/cosign/cli/rekor" @@ -94,7 +93,7 @@ func AttestCmd(ctx context.Context, ko options.KeyOpts, regOpts options.Registry ref, err := name.ParseReference(imageRef) if err != nil { - return errors.Wrap(err, "parsing reference") + return fmt.Errorf("parsing reference: %w", err) } if timeout != 0 { @@ -119,7 +118,7 @@ func AttestCmd(ctx context.Context, ko options.KeyOpts, regOpts options.Registry sv, err := sign.SignerFromKeyOpts(ctx, certPath, certChainPath, ko) if err != nil { - return errors.Wrap(err, "getting signer") + return fmt.Errorf("getting signer: %w", err) } defer sv.Close() wrapped := dsse.WrapSigner(sv, types.IntotoPayloadType) @@ -148,7 +147,7 @@ func AttestCmd(ctx context.Context, ko options.KeyOpts, regOpts options.Registry } signedPayload, err := wrapped.SignMessage(bytes.NewReader(payload), signatureoptions.WithContext(ctx)) if err != nil { - return errors.Wrap(err, "signing") + return fmt.Errorf("signing: %w", err) } if noUpload { diff --git a/cmd/cosign/cli/commands.go b/cmd/cosign/cli/commands.go index 22ae98a9c7c..0d8765cc09c 100644 --- a/cmd/cosign/cli/commands.go +++ b/cmd/cosign/cli/commands.go @@ -16,10 +16,10 @@ package cli import ( + "fmt" "os" "github.com/google/go-containerregistry/pkg/logs" - "github.com/pkg/errors" "github.com/spf13/cobra" "github.com/spf13/pflag" "sigs.k8s.io/release-utils/version" @@ -63,7 +63,7 @@ func New() *cobra.Command { var err error out, err = os.Create(ro.OutputFile) if err != nil { - return errors.Wrapf(err, "Error creating output file %s", ro.OutputFile) + return fmt.Errorf("error creating output file %s: %w", ro.OutputFile, err) } stdout = os.Stdout os.Stdout = out // TODO: don't do this. diff --git a/cmd/cosign/cli/dockerfile/verify.go b/cmd/cosign/cli/dockerfile/verify.go index 72af8be668d..da6cb4412ff 100644 --- a/cmd/cosign/cli/dockerfile/verify.go +++ b/cmd/cosign/cli/dockerfile/verify.go @@ -17,14 +17,13 @@ package dockerfile import ( "bufio" "context" + "errors" "flag" "fmt" "io" "os" "strings" - "github.com/pkg/errors" - "github.com/sigstore/cosign/cmd/cosign/cli/verify" ) diff --git a/cmd/cosign/cli/fulcio/fulcio.go b/cmd/cosign/cli/fulcio/fulcio.go index 689789cc2fe..b0ef7cf5d85 100644 --- a/cmd/cosign/cli/fulcio/fulcio.go +++ b/cmd/cosign/cli/fulcio/fulcio.go @@ -26,7 +26,6 @@ import ( "net/url" "os" - "github.com/pkg/errors" "golang.org/x/term" "github.com/sigstore/cosign/cmd/cosign/cli/fulcio/fulcioroots" @@ -114,7 +113,7 @@ type Signer struct { func NewSigner(ctx context.Context, ko options.KeyOpts) (*Signer, error) { fClient, err := NewClient(ko.FulcioURL) if err != nil { - return nil, errors.Wrap(err, "creating Fulcio client") + return nil, fmt.Errorf("creating Fulcio client: %w", err) } idToken := ko.IDToken @@ -122,13 +121,13 @@ func NewSigner(ctx context.Context, ko options.KeyOpts) (*Signer, error) { if idToken == "" && providers.Enabled(ctx) && !ko.OIDCDisableProviders { idToken, err = providers.Provide(ctx, "sigstore") if err != nil { - return nil, errors.Wrap(err, "fetching ambient OIDC credentials") + return nil, fmt.Errorf("fetching ambient OIDC credentials: %w", err) } } priv, err := cosign.GeneratePrivateKey() if err != nil { - return nil, errors.Wrap(err, "generating cert") + return nil, fmt.Errorf("generating cert: %w", err) } signer, err := signature.LoadECDSASignerVerifier(priv, crypto.SHA256) if err != nil { @@ -151,7 +150,7 @@ func NewSigner(ctx context.Context, ko options.KeyOpts) (*Signer, error) { } Resp, err := GetCert(ctx, priv, idToken, flow, ko.OIDCIssuer, ko.OIDCClientID, ko.OIDCClientSecret, ko.OIDCRedirectURL, fClient) // TODO, use the chain. if err != nil { - return nil, errors.Wrap(err, "retrieving cert") + return nil, fmt.Errorf("retrieving cert: %w", err) } f := &Signer{ diff --git a/cmd/cosign/cli/fulcio/fulcioroots/fulcioroots.go b/cmd/cosign/cli/fulcio/fulcioroots/fulcioroots.go index c0890bd77c2..c77378a9b3a 100644 --- a/cmd/cosign/cli/fulcio/fulcioroots/fulcioroots.go +++ b/cmd/cosign/cli/fulcio/fulcioroots/fulcioroots.go @@ -19,10 +19,11 @@ import ( "bytes" "context" "crypto/x509" + "errors" + "fmt" "os" "sync" - "github.com/pkg/errors" "github.com/sigstore/cosign/pkg/cosign/tuf" "github.com/sigstore/sigstore/pkg/cryptoutils" ) @@ -90,11 +91,11 @@ func initRoots() (*x509.CertPool, *x509.CertPool, error) { if rootEnv != "" { raw, err := os.ReadFile(rootEnv) if err != nil { - return nil, nil, errors.Wrap(err, "error reading root PEM file") + return nil, nil, fmt.Errorf("error reading root PEM file: %w", err) } certs, err := cryptoutils.UnmarshalCertificatesFromPEM(raw) if err != nil { - return nil, nil, errors.Wrap(err, "error unmarshalling certificates") + return nil, nil, fmt.Errorf("error unmarshalling certificates: %w", err) } for _, cert := range certs { // root certificates are self-signed @@ -113,7 +114,7 @@ func initRoots() (*x509.CertPool, *x509.CertPool, error) { } else { tufClient, err := tuf.NewFromEnv(context.Background()) if err != nil { - return nil, nil, errors.Wrap(err, "initializing tuf") + return nil, nil, fmt.Errorf("initializing tuf: %w", err) } defer tufClient.Close() // Retrieve from the embedded or cached TUF root. If expired, a network @@ -128,7 +129,7 @@ func initRoots() (*x509.CertPool, *x509.CertPool, error) { for _, t := range targets { certs, err := cryptoutils.UnmarshalCertificatesFromPEM(t.Target) if err != nil { - return nil, nil, errors.Wrap(err, "error unmarshalling certificates") + return nil, nil, fmt.Errorf("error unmarshalling certificates: %w", err) } for _, cert := range certs { // root certificates are self-signed diff --git a/cmd/cosign/cli/fulcio/fulcioverifier/ctl/verify.go b/cmd/cosign/cli/fulcio/fulcioverifier/ctl/verify.go index c2af470cc21..4031d6ae87a 100644 --- a/cmd/cosign/cli/fulcio/fulcioverifier/ctl/verify.go +++ b/cmd/cosign/cli/fulcio/fulcioverifier/ctl/verify.go @@ -21,13 +21,13 @@ import ( "crypto/x509" "encoding/json" "encoding/pem" + "errors" "fmt" "os" ct "github.com/google/certificate-transparency-go" ctx509 "github.com/google/certificate-transparency-go/x509" "github.com/google/certificate-transparency-go/x509util" - "github.com/pkg/errors" "github.com/sigstore/cosign/cmd/cosign/cli/fulcio/fulcioverifier/ctutil" "github.com/sigstore/cosign/pkg/cosign/tuf" @@ -94,7 +94,7 @@ func VerifySCT(ctx context.Context, certPEM, chainPEM, rawSCT []byte) error { } keyID, err := ctutil.GetCTLogID(pub) if err != nil { - return errors.Wrap(err, "error getting CTFE public key hash") + return fmt.Errorf("error getting CTFE public key hash") } pubKeys[keyID] = logIDMetadata{pub, t.Status} } @@ -102,15 +102,15 @@ func VerifySCT(ctx context.Context, certPEM, chainPEM, rawSCT []byte) error { fmt.Fprintf(os.Stderr, "**Warning** Using a non-standard public key for verifying SCT: %s\n", rootEnv) raw, err := os.ReadFile(rootEnv) if err != nil { - return errors.Wrap(err, "error reading alternate public key file") + return fmt.Errorf("error reading alternate public key file") } pubKey, err := getPublicKey(raw) if err != nil { - return errors.Wrap(err, "error parsing alternate public key from the file") + return fmt.Errorf("error parsing alternate public key from the file") } keyID, err := ctutil.GetCTLogID(pubKey) if err != nil { - return errors.Wrap(err, "error getting CTFE public key hash") + return fmt.Errorf("error getting CTFE public key hash") } pubKeys[keyID] = logIDMetadata{pubKey, tuf.Active} } @@ -150,7 +150,7 @@ func VerifySCT(ctx context.Context, certPEM, chainPEM, rawSCT []byte) error { } err := ctutil.VerifySCT(pubKeyMetadata.pubKey, []*ctx509.Certificate{cert, certChain[0]}, sct, true) if err != nil { - return errors.Wrap(err, "error verifying embedded SCT") + return fmt.Errorf("error verifying embedded SCT") } if pubKeyMetadata.status != tuf.Active { fmt.Fprintf(os.Stderr, "**Info** Successfully verified embedded SCT using an expired verification key\n") @@ -162,7 +162,7 @@ func VerifySCT(ctx context.Context, certPEM, chainPEM, rawSCT []byte) error { // check SCT in response header var addChainResp ct.AddChainResponse if err := json.Unmarshal(rawSCT, &addChainResp); err != nil { - return errors.Wrap(err, "unmarshal") + return fmt.Errorf("unmarshal") } sct, err := addChainResp.ToSignedCertificateTimestamp() if err != nil { @@ -174,7 +174,7 @@ func VerifySCT(ctx context.Context, certPEM, chainPEM, rawSCT []byte) error { } err = ctutil.VerifySCT(pubKeyMetadata.pubKey, []*ctx509.Certificate{cert}, sct, false) if err != nil { - return errors.Wrap(err, "error verifying SCT") + return fmt.Errorf("error verifying SCT") } if pubKeyMetadata.status != tuf.Active { fmt.Fprintf(os.Stderr, "**Info** Successfully verified SCT using an expired verification key\n") @@ -217,7 +217,7 @@ func getPublicKey(in []byte) (crypto.PublicKey, error) { // Try using the PKCS1 before giving up. pubKey, err = x509.ParsePKCS1PublicKey(derBytes) if err != nil { - return nil, errors.Wrap(err, "failed to parse CT log public key") + return nil, fmt.Errorf("failed to parse CT log public key: %w", err) } } return pubKey, nil diff --git a/cmd/cosign/cli/fulcio/fulcioverifier/fulcioverifier.go b/cmd/cosign/cli/fulcio/fulcioverifier/fulcioverifier.go index c2905ec12a9..0c8f8ccb7e1 100644 --- a/cmd/cosign/cli/fulcio/fulcioverifier/fulcioverifier.go +++ b/cmd/cosign/cli/fulcio/fulcioverifier/fulcioverifier.go @@ -20,8 +20,6 @@ import ( "fmt" "os" - "github.com/pkg/errors" - "github.com/sigstore/cosign/cmd/cosign/cli/fulcio" "github.com/sigstore/cosign/cmd/cosign/cli/fulcio/fulcioverifier/ctl" "github.com/sigstore/cosign/cmd/cosign/cli/options" @@ -35,7 +33,7 @@ func NewSigner(ctx context.Context, ko options.KeyOpts) (*fulcio.Signer, error) // verify the sct if err := ctl.VerifySCT(ctx, fs.Cert, fs.Chain, fs.SCT); err != nil { - return nil, errors.Wrap(err, "verifying SCT") + return nil, fmt.Errorf("verifying SCT: %w", err) } fmt.Fprintln(os.Stderr, "Successfully verified SCT...") diff --git a/cmd/cosign/cli/generate/generate_key_pair.go b/cmd/cosign/cli/generate/generate_key_pair.go index fc98a86fbd5..95f373e8b7f 100644 --- a/cmd/cosign/cli/generate/generate_key_pair.go +++ b/cmd/cosign/cli/generate/generate_key_pair.go @@ -18,12 +18,12 @@ package generate import ( "context" "crypto" + "errors" "fmt" "io" "os" "strings" - "github.com/pkg/errors" "github.com/sigstore/cosign/pkg/cosign/git" "github.com/sigstore/cosign/pkg/cosign/git/github" "github.com/sigstore/cosign/pkg/cosign/git/gitlab" @@ -48,7 +48,7 @@ func GenerateKeyPairCmd(ctx context.Context, kmsVal string, args []string) error } pubKey, err := k.CreateKey(ctx, k.DefaultAlgorithm()) if err != nil { - return errors.Wrap(err, "creating key") + return fmt.Errorf("creating key: %w", err) } pemBytes, err := cryptoutils.MarshalPublicKeyToPEM(pubKey) if err != nil { diff --git a/cmd/cosign/cli/load.go b/cmd/cosign/cli/load.go index 1a2a6db7117..26c8b1ecb42 100644 --- a/cmd/cosign/cli/load.go +++ b/cmd/cosign/cli/load.go @@ -17,9 +17,9 @@ package cli import ( "context" + "fmt" "github.com/google/go-containerregistry/pkg/name" - "github.com/pkg/errors" "github.com/sigstore/cosign/cmd/cosign/cli/options" "github.com/sigstore/cosign/pkg/oci/layout" "github.com/sigstore/cosign/pkg/oci/remote" @@ -47,13 +47,13 @@ func Load() *cobra.Command { func LoadCmd(ctx context.Context, opts options.LoadOptions, imageRef string) error { ref, err := name.ParseReference(imageRef) if err != nil { - return errors.Wrapf(err, "parsing image name %s", imageRef) + return fmt.Errorf("parsing image name %s: %w", imageRef, err) } // get the signed image from disk sii, err := layout.SignedImageIndex(opts.Directory) if err != nil { - return errors.Wrap(err, "signed image index") + return fmt.Errorf("signed image index: %w", err) } return remote.WriteSignedImageIndexImages(ref, sii) } diff --git a/cmd/cosign/cli/manifest/verify.go b/cmd/cosign/cli/manifest/verify.go index ad086a8d0f5..3129918cdea 100644 --- a/cmd/cosign/cli/manifest/verify.go +++ b/cmd/cosign/cli/manifest/verify.go @@ -17,6 +17,7 @@ package manifest import ( "bytes" "context" + "errors" "flag" "fmt" "io" @@ -24,7 +25,6 @@ import ( "path/filepath" "strings" - "github.com/pkg/errors" "k8s.io/apimachinery/pkg/util/yaml" "github.com/sigstore/cosign/cmd/cosign/cli/verify" @@ -45,7 +45,7 @@ func (c *VerifyManifestCommand) Exec(ctx context.Context, args []string) error { err := isExtensionAllowed(manifestPath) if err != nil { - return errors.Wrap(err, "check if extension is valid") + return fmt.Errorf("check if extension is valid: %w", err) } manifest, err := os.ReadFile(manifestPath) if err != nil { diff --git a/cmd/cosign/cli/options/oidc.go b/cmd/cosign/cli/options/oidc.go index 848706487f5..b5c87fb2158 100644 --- a/cmd/cosign/cli/options/oidc.go +++ b/cmd/cosign/cli/options/oidc.go @@ -21,7 +21,6 @@ import ( "strings" "unicode/utf8" - "github.com/pkg/errors" "github.com/spf13/cobra" ) @@ -40,7 +39,7 @@ func (o *OIDCOptions) ClientSecret() (string, error) { if o.clientSecretFile != "" { clientSecretBytes, err := os.ReadFile(o.clientSecretFile) if err != nil { - return "", errors.Wrap(err, "reading OIDC client secret") + return "", fmt.Errorf("reading OIDC client secret: %w", err) } if !utf8.Valid(clientSecretBytes) { return "", fmt.Errorf("OIDC client secret in file %s not valid utf8", o.clientSecretFile) diff --git a/cmd/cosign/cli/pkcs11cli/commands.go b/cmd/cosign/cli/pkcs11cli/commands.go index 5d478dd828f..76193afd23c 100644 --- a/cmd/cosign/cli/pkcs11cli/commands.go +++ b/cmd/cosign/cli/pkcs11cli/commands.go @@ -20,6 +20,7 @@ package pkcs11cli import ( "context" "encoding/hex" + "errors" "flag" "fmt" "os" @@ -27,7 +28,6 @@ import ( "syscall" "github.com/miekg/pkcs11" - "github.com/pkg/errors" "github.com/sigstore/cosign/pkg/cosign/pkcs11key" "golang.org/x/term" ) @@ -57,7 +57,7 @@ func GetTokens(_ context.Context, modulePath string) ([]Token, error) { } err := p.Initialize() if err != nil { - return nil, errors.Wrap(err, "initialize PKCS11 module") + return nil, fmt.Errorf("initialize PKCS11 module: %w", err) } defer p.Destroy() defer p.Finalize() @@ -65,7 +65,7 @@ func GetTokens(_ context.Context, modulePath string) ([]Token, error) { // Get list of all slots with a token, and get info of each. slots, err := p.GetSlotList(true) if err != nil { - return nil, errors.Wrap(err, "get slot list") + return nil, fmt.Errorf("get slot list: %w", err) } for _, slot := range slots { tokenInfo, err := p.GetTokenInfo(slot) @@ -92,7 +92,7 @@ func GetKeysInfo(_ context.Context, modulePath string, slotID uint, pin string) } err := ctx.Initialize() if err != nil { - return nil, errors.Wrap(err, "initialize PKCS11 module") + return nil, fmt.Errorf("initialize PKCS11 module: %w", err) } defer ctx.Destroy() defer ctx.Finalize() @@ -101,7 +101,7 @@ func GetKeysInfo(_ context.Context, modulePath string, slotID uint, pin string) var tokenInfo pkcs11.TokenInfo tokenInfo, err = ctx.GetTokenInfo(uint(slotID)) if err != nil { - return nil, errors.Wrap(err, "get token info") + return nil, fmt.Errorf("get token info: %w", err) } // If pin was not given, check COSIGN_PKCS11_PIN environment variable. @@ -117,7 +117,7 @@ func GetKeysInfo(_ context.Context, modulePath string, slotID uint, pin string) // nolint:unconvert b, err := term.ReadPassword(int(syscall.Stdin)) if err != nil { - return nil, errors.Wrap(err, "get pin") + return nil, fmt.Errorf("get pin: %w", err) } pin = string(b) } @@ -127,14 +127,14 @@ func GetKeysInfo(_ context.Context, modulePath string, slotID uint, pin string) // Open a new session to the token. session, err := ctx.OpenSession(slotID, pkcs11.CKF_SERIAL_SESSION|pkcs11.CKF_RW_SESSION) if err != nil { - return nil, errors.Wrap(err, "open session") + return nil, fmt.Errorf("open session: %w", err) } defer ctx.CloseSession(session) // Login user. err = ctx.Login(session, pkcs11.CKU_USER, pin) if err != nil { - return nil, errors.Wrap(err, "login") + return nil, fmt.Errorf("login: %w", err) } defer ctx.Logout(session) @@ -145,22 +145,22 @@ func GetKeysInfo(_ context.Context, modulePath string, slotID uint, pin string) pkcs11.NewAttribute(pkcs11.CKA_CLASS, pkcs11.CKO_PRIVATE_KEY), } if err = ctx.FindObjectsInit(session, findAttributes); err != nil { - return nil, errors.Wrap(err, "init find objects") + return nil, fmt.Errorf("init find objects: %w", err) } newhandles, _, err := ctx.FindObjects(session, maxHandlePerFind) if err != nil { - return nil, errors.Wrap(err, "find objects") + return nil, fmt.Errorf("find objects: %w", err) } for len(newhandles) > 0 { handles = append(handles, newhandles...) newhandles, _, err = ctx.FindObjects(session, maxHandlePerFind) if err != nil { - return nil, errors.Wrap(err, "find objects") + return nil, fmt.Errorf("find objects: %w", err) } } err = ctx.FindObjectsFinal(session) if err != nil { - return nil, errors.Wrap(err, "finalize find objects") + return nil, fmt.Errorf("finalize find objects: %w", err) } // For each private key, get key label and key id then construct uri. @@ -172,7 +172,7 @@ func GetKeysInfo(_ context.Context, modulePath string, slotID uint, pin string) pkcs11.NewAttribute(pkcs11.CKA_LABEL, nil), } if attributes, err = ctx.GetAttributeValue(session, handle, attributes); err != nil { - return nil, errors.Wrap(err, "get attributes") + return nil, fmt.Errorf("get attributes: %w", err) } keyID := attributes[0].Value keyLabel := attributes[1].Value @@ -187,7 +187,7 @@ func GetKeysInfo(_ context.Context, modulePath string, slotID uint, pin string) pkcs11Uri := pkcs11key.NewPkcs11UriConfigFromInput(modulePath, &slotIDInt, tokenInfo.Label, keyLabel, keyID, pin) pkcs11UriStr, err := pkcs11Uri.Construct() if err != nil { - return nil, errors.Wrap(err, "construct pkcs11 uri") + return nil, fmt.Errorf("construct pkcs11 uri: %w", err) } if keyLabel != nil && len(keyLabel) != 0 { diff --git a/cmd/cosign/cli/policy_init.go b/cmd/cosign/cli/policy_init.go index 89e100c36d0..a4ab3710891 100644 --- a/cmd/cosign/cli/policy_init.go +++ b/cmd/cosign/cli/policy_init.go @@ -20,6 +20,7 @@ import ( "context" "encoding/base64" "encoding/json" + "errors" "fmt" "io" "net/mail" @@ -31,7 +32,6 @@ import ( "github.com/google/go-containerregistry/pkg/authn" "github.com/google/go-containerregistry/pkg/name" "github.com/google/go-containerregistry/pkg/v1/remote" - "github.com/pkg/errors" "github.com/sigstore/cosign/cmd/cosign/cli/options" "github.com/sigstore/cosign/cmd/cosign/cli/rekor" "github.com/sigstore/cosign/cmd/cosign/cli/sign" @@ -135,7 +135,7 @@ func initPolicy() *cobra.Command { outfile = o.OutFile err = os.WriteFile(o.OutFile, policyFile, 0600) if err != nil { - return errors.Wrapf(err, "error writing to %s", outfile) + return fmt.Errorf("error writing to %s: %w", outfile, err) } } else { tempFile, err := os.CreateTemp("", "root") @@ -226,24 +226,24 @@ func signPolicy() *cobra.Command { result := &bytes.Buffer{} if err := sget.New(imgName+"@"+dgst.String(), "", result).Do(ctx); err != nil { - return errors.Wrap(err, "error getting result") + return fmt.Errorf("error getting result: %w", err) } b, err := io.ReadAll(result) if err != nil { - return errors.Wrap(err, "error reading bytes from root.json") + return fmt.Errorf("error reading bytes from root.json: %w", err) } // Unmarshal policy and verify that Fulcio signer email is in the trusted signed := &tuf.Signed{} if err := json.Unmarshal(b, signed); err != nil { - return errors.Wrap(err, "unmarshalling signed root policy") + return fmt.Errorf("unmarshalling signed root policy: %w", err) } // Create and add signature key := tuf.FulcioVerificationKey(signerEmail, signerIssuer) sig, err := sv.SignMessage(bytes.NewReader(signed.Signed), signatureoptions.WithContext(ctx)) if err != nil { - return errors.Wrap(err, "error occurred while during artifact signing") + return fmt.Errorf("error occurred while during artifact signing): %w", err) } signature := tuf.Signature{ Signature: base64.StdEncoding.EncodeToString(sig), @@ -279,7 +279,7 @@ func signPolicy() *cobra.Command { outfile = o.OutFile err = os.WriteFile(o.OutFile, policyFile, 0600) if err != nil { - return errors.Wrapf(err, "error writing to %s", outfile) + return fmt.Errorf("error writing to %s: %w", outfile, err) } } else { tempFile, err := os.CreateTemp("", "root") diff --git a/cmd/cosign/cli/publickey/public_key.go b/cmd/cosign/cli/publickey/public_key.go index 24e8f94ee08..164b2a81948 100644 --- a/cmd/cosign/cli/publickey/public_key.go +++ b/cmd/cosign/cli/publickey/public_key.go @@ -21,8 +21,6 @@ import ( "io" "os" - "github.com/pkg/errors" - "github.com/sigstore/cosign/pkg/cosign" "github.com/sigstore/cosign/pkg/cosign/pivkey" "github.com/sigstore/cosign/pkg/cosign/pkcs11key" @@ -58,12 +56,12 @@ func GetPublicKey(ctx context.Context, opts Pkopts, writer NamedWriter, pf cosig case opts.Sk: sk, err := pivkey.GetKeyWithSlot(opts.Slot) if err != nil { - return errors.Wrap(err, "opening piv token") + return fmt.Errorf("opening piv token: %w", err) } defer sk.Close() pk, err := sk.Verifier() if err != nil { - return errors.Wrap(err, "initializing piv token verifier") + return fmt.Errorf("initializing piv token verifier: %w", err) } k = pk } diff --git a/cmd/cosign/cli/save.go b/cmd/cosign/cli/save.go index f081393e4f9..e72f8688cd9 100644 --- a/cmd/cosign/cli/save.go +++ b/cmd/cosign/cli/save.go @@ -17,9 +17,10 @@ package cli import ( "context" + "errors" + "fmt" "github.com/google/go-containerregistry/pkg/name" - "github.com/pkg/errors" "github.com/sigstore/cosign/cmd/cosign/cli/options" "github.com/sigstore/cosign/pkg/oci" "github.com/sigstore/cosign/pkg/oci/layout" @@ -48,18 +49,18 @@ func Save() *cobra.Command { func SaveCmd(ctx context.Context, opts options.SaveOptions, imageRef string) error { ref, err := name.ParseReference(imageRef) if err != nil { - return errors.Wrapf(err, "parsing image name %s", imageRef) + return fmt.Errorf("parsing image name %s: %w", imageRef, err) } se, err := ociremote.SignedEntity(ref) if err != nil { - return errors.Wrap(err, "signed entity") + return fmt.Errorf("signed entity: %w", err) } if _, ok := se.(oci.SignedImage); ok { si, err := ociremote.SignedImage(ref) if err != nil { - return errors.Wrap(err, "getting signed image") + return fmt.Errorf("getting signed image: %w", err) } return layout.WriteSignedImage(opts.Directory, si) } @@ -67,7 +68,7 @@ func SaveCmd(ctx context.Context, opts options.SaveOptions, imageRef string) err if _, ok := se.(oci.SignedImageIndex); ok { sii, err := ociremote.SignedImageIndex(ref) if err != nil { - return errors.Wrap(err, "getting signed image index") + return fmt.Errorf("getting signed image index: %w", err) } return layout.WriteSignedImageIndex(opts.Directory, sii) } diff --git a/cmd/cosign/cli/sign.go b/cmd/cosign/cli/sign.go index 620825f7031..f9355b2891c 100644 --- a/cmd/cosign/cli/sign.go +++ b/cmd/cosign/cli/sign.go @@ -17,8 +17,8 @@ package cli import ( "flag" + "fmt" - "github.com/pkg/errors" "github.com/spf13/cobra" "github.com/sigstore/cosign/cmd/cosign/cli/generate" @@ -104,9 +104,9 @@ func Sign() *cobra.Command { if err := sign.SignCmd(ro, ko, o.Registry, annotationsMap.Annotations, args, o.Cert, o.CertChain, o.Upload, o.OutputSignature, o.OutputCertificate, o.PayloadPath, o.Force, o.Recursive, o.Attachment); err != nil { if o.Attachment == "" { - return errors.Wrapf(err, "signing %v", args) + return fmt.Errorf("signing %v: %w", args, err) } - return errors.Wrapf(err, "signing attachment %s for image %v", o.Attachment, args) + return fmt.Errorf("signing attachment %s for image %v: %w", o.Attachment, args, err) } return nil }, diff --git a/cmd/cosign/cli/sign/sign.go b/cmd/cosign/cli/sign/sign.go index b76a0dbd4e4..43aa11dfae8 100644 --- a/cmd/cosign/cli/sign/sign.go +++ b/cmd/cosign/cli/sign/sign.go @@ -20,6 +20,7 @@ import ( "context" "crypto/x509" "encoding/pem" + "errors" "fmt" "os" "path/filepath" @@ -28,7 +29,6 @@ import ( "github.com/google/go-containerregistry/pkg/name" v1 "github.com/google/go-containerregistry/pkg/v1" "github.com/google/go-containerregistry/pkg/v1/remote" - "github.com/pkg/errors" "github.com/sigstore/cosign/cmd/cosign/cli/fulcio" "github.com/sigstore/cosign/cmd/cosign/cli/fulcio/fulcioverifier" @@ -113,7 +113,7 @@ func SignCmd(ro *options.RootOptions, ko options.KeyOpts, regOpts options.Regist sv, err := SignerFromKeyOpts(ctx, certPath, certChainPath, ko) if err != nil { - return errors.Wrap(err, "getting signer") + return fmt.Errorf("getting signer: %w", err) } defer sv.Close() dd := cremote.NewDupeDetector(sv) @@ -123,7 +123,7 @@ func SignCmd(ro *options.RootOptions, ko options.KeyOpts, regOpts options.Regist fmt.Fprintln(os.Stderr, "Using payload from:", payloadPath) staticPayload, err = os.ReadFile(filepath.Clean(payloadPath)) if err != nil { - return errors.Wrap(err, "payload from file") + return fmt.Errorf("payload from file: %w", err) } } @@ -136,11 +136,11 @@ func SignCmd(ro *options.RootOptions, ko options.KeyOpts, regOpts options.Regist for _, inputImg := range imgs { ref, err := name.ParseReference(inputImg) if err != nil { - return errors.Wrap(err, "parsing reference") + return fmt.Errorf("parsing reference: %w", err) } opts, err := regOpts.ClientOpts(ctx) if err != nil { - return errors.Wrap(err, "constructing client options") + return fmt.Errorf("constructing client options: %w", err) } ref, err = GetAttachedImageRef(ref, attachment, opts...) if err != nil { @@ -150,35 +150,35 @@ func SignCmd(ro *options.RootOptions, ko options.KeyOpts, regOpts options.Regist if digest, ok := ref.(name.Digest); ok && !recursive { se, err := ociremote.SignedEntity(ref, opts...) if err != nil { - return errors.Wrap(err, "accessing image") + return fmt.Errorf("accessing image: %w", err) } err = signDigest(ctx, digest, staticPayload, ko, regOpts, annotations, upload, outputSignature, outputCertificate, force, recursive, dd, sv, se) if err != nil { - return errors.Wrap(err, "signing digest") + return fmt.Errorf("signing digest: %w", err) } continue } se, err := ociremote.SignedEntity(ref, opts...) if err != nil { - return errors.Wrap(err, "accessing entity") + return fmt.Errorf("accessing entity: %w", err) } if err := walk.SignedEntity(ctx, se, func(ctx context.Context, se oci.SignedEntity) error { // Get the digest for this entity in our walk. d, err := se.(interface{ Digest() (v1.Hash, error) }).Digest() if err != nil { - return errors.Wrap(err, "computing digest") + return fmt.Errorf("computing digest: %w", err) } digest := ref.Context().Digest(d.String()) err = signDigest(ctx, digest, staticPayload, ko, regOpts, annotations, upload, outputSignature, outputCertificate, force, recursive, dd, sv, se) if err != nil { - return errors.Wrap(err, "signing digest") + return fmt.Errorf("signing digest: %w", err) } return ErrDone }); err != nil { - return errors.Wrap(err, "recursively signing") + return fmt.Errorf("recursively signing: %w", err) } } @@ -196,7 +196,7 @@ func signDigest(ctx context.Context, digest name.Digest, payload []byte, ko opti Annotations: annotations, }).MarshalJSON() if err != nil { - return errors.Wrap(err, "payload") + return fmt.Errorf("payload: %w", err) } } @@ -229,18 +229,18 @@ func signDigest(ctx context.Context, digest name.Digest, payload []byte, ko opti outputSignature = fmt.Sprintf("%s-%s", outputSignature, strings.Replace(digest.DigestStr(), ":", "-", 1)) } if err := os.WriteFile(outputSignature, []byte(b64sig), 0600); err != nil { - return errors.Wrap(err, "create signature file") + return fmt.Errorf("create signature file: %w", err) } } if outputCertificate != "" { rekorBytes, err := sv.Bytes(ctx) if err != nil { - return errors.Wrap(err, "create certificate file") + return fmt.Errorf("create certificate file: %w", err) } if err := os.WriteFile(outputCertificate, rekorBytes, 0600); err != nil { - return errors.Wrap(err, "create certificate file") + return fmt.Errorf("create certificate file: %w", err) } // TODO: maybe accept a --b64 flag as well? fmt.Printf("Certificate wrote in the file %s\n", outputCertificate) @@ -259,7 +259,7 @@ func signDigest(ctx context.Context, digest name.Digest, payload []byte, ko opti // Publish the signatures associated with this entity walkOpts, err := regOpts.ClientOpts(ctx) if err != nil { - return errors.Wrap(err, "constructing client options") + return fmt.Errorf("constructing client options: %w", err) } // Check if we are overriding the signatures repository location @@ -315,7 +315,7 @@ func signerFromSecurityKey(keySlot string) (*SignerVerifier, error) { func signerFromKeyRef(ctx context.Context, certPath, certChainPath, keyRef string, passFunc cosign.PassFunc) (*SignerVerifier, error) { k, err := sigs.SignerVerifierFromKeyRef(ctx, keyRef, passFunc) if err != nil { - return nil, errors.Wrap(err, "reading key") + return nil, fmt.Errorf("reading key: %w", err) } certSigner := &SignerVerifier{ SignerVerifier: k, @@ -359,7 +359,7 @@ func signerFromKeyRef(ctx context.Context, certPath, certChainPath, keyRef strin // Allow both DER and PEM encoding certBytes, err := os.ReadFile(certPath) if err != nil { - return nil, errors.Wrap(err, "read certificate") + return nil, fmt.Errorf("read certificate: %w", err) } // Handle PEM if bytes.HasPrefix(certBytes, []byte("-----")) { @@ -371,18 +371,18 @@ func signerFromKeyRef(ctx context.Context, certPath, certChainPath, keyRef strin } parsedCert, err := x509.ParseCertificate(certBytes) if err != nil { - return nil, errors.Wrap(err, "parse x509 certificate") + return nil, fmt.Errorf("parse x509 certificate: %w", err) } pk, err := k.PublicKey() if err != nil { - return nil, errors.Wrap(err, "get public key") + return nil, fmt.Errorf("get public key: %w", err) } if cryptoutils.EqualKeys(pk, parsedCert.PublicKey) != nil { return nil, errors.New("public key in certificate does not match the provided public key") } pemBytes, err := cryptoutils.MarshalCertificateToPEM(parsedCert) if err != nil { - return nil, errors.Wrap(err, "marshaling certificate to PEM") + return nil, fmt.Errorf("marshaling certificate to PEM: %w", err) } if certSigner.Cert != nil { fmt.Fprintln(os.Stderr, "warning: overriding x509 certificate retrieved from the PKCS11 token") @@ -401,11 +401,11 @@ func signerFromKeyRef(ctx context.Context, certPath, certChainPath, keyRef strin // Accept only PEM encoded certificate chain certChainBytes, err := os.ReadFile(certChainPath) if err != nil { - return nil, errors.Wrap(err, "reading certificate chain from path") + return nil, fmt.Errorf("reading certificate chain from path: %w", err) } certChain, err := cryptoutils.LoadCertificatesFromPEM(bytes.NewReader(certChainBytes)) if err != nil { - return nil, errors.Wrap(err, "loading certificate chain") + return nil, fmt.Errorf("loading certificate chain: %w", err) } if len(certChain) == 0 { return nil, errors.New("no certificates in certificate chain") @@ -418,7 +418,7 @@ func signerFromKeyRef(ctx context.Context, certPath, certChainPath, keyRef strin subPool.AddCert(c) } if _, err := cosign.TrustedCert(leafCert, rootPool, subPool); err != nil { - return nil, errors.Wrap(err, "unable to validate certificate chain") + return nil, fmt.Errorf("unable to validate certificate chain: %w", err) } // Verify SCT if present in the leaf certificate. contains, err := ctl.ContainsSCT(leafCert.Raw) @@ -446,11 +446,11 @@ func keylessSigner(ctx context.Context, ko options.KeyOpts) (*SignerVerifier, er if ko.InsecureSkipFulcioVerify { if k, err = fulcio.NewSigner(ctx, ko); err != nil { - return nil, errors.Wrap(err, "getting key from Fulcio") + return nil, fmt.Errorf("getting key from Fulcio: %w", err) } } else { if k, err = fulcioverifier.NewSigner(ctx, ko); err != nil { - return nil, errors.Wrap(err, "getting key from Fulcio") + return nil, fmt.Errorf("getting key from Fulcio: %w", err) } } diff --git a/cmd/cosign/cli/sign/sign_blob.go b/cmd/cosign/cli/sign/sign_blob.go index 401922b21d1..f623613c78c 100644 --- a/cmd/cosign/cli/sign/sign_blob.go +++ b/cmd/cosign/cli/sign/sign_blob.go @@ -25,7 +25,6 @@ import ( "os" "path/filepath" - "github.com/pkg/errors" cbundle "github.com/sigstore/cosign/pkg/cosign/bundle" "github.com/sigstore/cosign/cmd/cosign/cli/options" @@ -61,7 +60,7 @@ func SignBlobCmd(ro *options.RootOptions, ko options.KeyOpts, regOpts options.Re sig, err := sv.SignMessage(bytes.NewReader(payload), signatureoptions.WithContext(ctx)) if err != nil { - return nil, errors.Wrap(err, "signing blob") + return nil, fmt.Errorf("signing blob: %w", err) } signedPayload := cosign.LocalSignedPayload{} @@ -101,7 +100,7 @@ func SignBlobCmd(ro *options.RootOptions, ko options.KeyOpts, regOpts options.Re bts = []byte(base64.StdEncoding.EncodeToString(sig)) } if err := os.WriteFile(outputSignature, bts, 0600); err != nil { - return nil, errors.Wrap(err, "create signature file") + return nil, fmt.Errorf("create signature file: %w", err) } fmt.Printf("Signature wrote in the file %s\n", outputSignature) @@ -121,7 +120,7 @@ func SignBlobCmd(ro *options.RootOptions, ko options.KeyOpts, regOpts options.Re bts = []byte(base64.StdEncoding.EncodeToString(rekorBytes)) } if err := os.WriteFile(outputCertificate, bts, 0600); err != nil { - return nil, errors.Wrap(err, "create certificate file") + return nil, fmt.Errorf("create certificate file: %w", err) } fmt.Printf("Certificate wrote in the file %s\n", outputCertificate) } diff --git a/cmd/cosign/cli/signblob.go b/cmd/cosign/cli/signblob.go index 8e80b6f7b12..e6bea6d1924 100644 --- a/cmd/cosign/cli/signblob.go +++ b/cmd/cosign/cli/signblob.go @@ -19,7 +19,6 @@ import ( "fmt" "os" - "github.com/pkg/errors" "github.com/sigstore/cosign/cmd/cosign/cli/generate" "github.com/sigstore/cosign/cmd/cosign/cli/options" "github.com/sigstore/cosign/cmd/cosign/cli/sign" @@ -91,7 +90,7 @@ func SignBlob() *cobra.Command { o.OutputSignature = o.Output } if _, err := sign.SignBlobCmd(ro, ko, o.Registry, blob, o.Base64Output, o.OutputSignature, o.OutputCertificate); err != nil { - return errors.Wrapf(err, "signing %s", blob) + return fmt.Errorf("signing %s: %w", blob, err) } } return nil diff --git a/cmd/cosign/cli/triangulate/triangulate.go b/cmd/cosign/cli/triangulate/triangulate.go index b223d128518..00828575e4e 100644 --- a/cmd/cosign/cli/triangulate/triangulate.go +++ b/cmd/cosign/cli/triangulate/triangulate.go @@ -20,7 +20,6 @@ import ( "fmt" "github.com/google/go-containerregistry/pkg/name" - "github.com/pkg/errors" "github.com/sigstore/cosign/cmd/cosign/cli/options" "github.com/sigstore/cosign/pkg/cosign" ociremote "github.com/sigstore/cosign/pkg/oci/remote" @@ -34,7 +33,7 @@ func MungeCmd(ctx context.Context, regOpts options.RegistryOptions, imageRef str ociremoteOpts, err := regOpts.ClientOpts(ctx) if err != nil { - return errors.Wrap(err, "constructing client options") + return fmt.Errorf("constructing client options: %w", err) } var dstRef name.Tag diff --git a/cmd/cosign/cli/verify.go b/cmd/cosign/cli/verify.go index 6f180e7c549..7a365cfd158 100644 --- a/cmd/cosign/cli/verify.go +++ b/cmd/cosign/cli/verify.go @@ -16,7 +16,8 @@ package cli import ( - "github.com/pkg/errors" + "fmt" + "github.com/spf13/cobra" "github.com/sigstore/cosign/cmd/cosign/cli/options" @@ -258,7 +259,7 @@ The blob may be specified as a path to a file or - for stdin.`, if err := verify.VerifyBlobCmd(cmd.Context(), ko, o.CertVerify.Cert, o.CertVerify.CertEmail, o.CertVerify.CertOidcIssuer, o.CertVerify.CertChain, o.Signature, args[0], o.CertVerify.EnforceSCT); err != nil { - return errors.Wrapf(err, "verifying blob %s", args) + return fmt.Errorf("verifying blob %s: %w", args, err) } return nil }, diff --git a/cmd/cosign/cli/verify/verify.go b/cmd/cosign/cli/verify/verify.go index 7c2f8f526cb..e7d524c9332 100644 --- a/cmd/cosign/cli/verify/verify.go +++ b/cmd/cosign/cli/verify/verify.go @@ -22,12 +22,12 @@ import ( "crypto/x509" "encoding/base64" "encoding/json" + "errors" "flag" "fmt" "os" "github.com/google/go-containerregistry/pkg/name" - "github.com/pkg/errors" "github.com/sigstore/cosign/cmd/cosign/cli/fulcio" "github.com/sigstore/cosign/cmd/cosign/cli/options" @@ -89,7 +89,7 @@ func (c *VerifyCommand) Exec(ctx context.Context, images []string) (err error) { } ociremoteOpts, err := c.ClientOpts(ctx) if err != nil { - return errors.Wrap(err, "constructing client options") + return fmt.Errorf("constructing client options: %w", err) } co := &cosign.CheckOpts{ Annotations: c.Annotations.Annotations, @@ -106,7 +106,7 @@ func (c *VerifyCommand) Exec(ctx context.Context, images []string) (err error) { if c.RekorURL != "" { rekorClient, err := rekor.NewClient(c.RekorURL) if err != nil { - return errors.Wrap(err, "creating Rekor client") + return fmt.Errorf("creating Rekor client: %w", err) } co.RekorClient = rekorClient } @@ -122,7 +122,7 @@ func (c *VerifyCommand) Exec(ctx context.Context, images []string) (err error) { case keyRef != "": pubKey, err = sigs.PublicKeyFromKeyRefWithHashAlgo(ctx, keyRef, c.HashAlgorithm) if err != nil { - return errors.Wrap(err, "loading public key") + return fmt.Errorf("loading public key: %w", err) } pkcs11Key, ok := pubKey.(*pkcs11key.Key) if ok { @@ -131,12 +131,12 @@ func (c *VerifyCommand) Exec(ctx context.Context, images []string) (err error) { case c.Sk: sk, err := pivkey.GetKeyWithSlot(c.Slot) if err != nil { - return errors.Wrap(err, "opening piv token") + return fmt.Errorf("opening piv token: %w", err) } defer sk.Close() pubKey, err = sk.Verifier() if err != nil { - return errors.Wrap(err, "initializing piv token verifier") + return fmt.Errorf("initializing piv token verifier: %w", err) } case certRef != "": cert, err := loadCertFromFileOrURL(c.CertRef) @@ -184,11 +184,11 @@ func (c *VerifyCommand) Exec(ctx context.Context, images []string) (err error) { } else { ref, err := name.ParseReference(img) if err != nil { - return errors.Wrap(err, "parsing reference") + return fmt.Errorf("parsing reference: %w", err) } ref, err = sign.GetAttachedImageRef(ref, c.Attachment, ociremoteOpts...) if err != nil { - return errors.Wrapf(err, "resolving attachment type %s for image %s", c.Attachment, img) + return fmt.Errorf("resolving attachment type %s for image %s: %w", c.Attachment, img, err) } verified, bundleVerified, err := cosign.VerifyImageSignatures(ctx, ref, co) diff --git a/cmd/cosign/cli/verify/verify_attestation.go b/cmd/cosign/cli/verify/verify_attestation.go index c32fc120095..ac645e4e3e6 100644 --- a/cmd/cosign/cli/verify/verify_attestation.go +++ b/cmd/cosign/cli/verify/verify_attestation.go @@ -18,13 +18,13 @@ package verify import ( "context" "crypto" + "errors" "flag" "fmt" "os" "path/filepath" "github.com/google/go-containerregistry/pkg/name" - "github.com/pkg/errors" "github.com/sigstore/cosign/pkg/cosign/pkcs11key" "github.com/sigstore/cosign/pkg/cosign/rego" "github.com/sigstore/cosign/pkg/oci" @@ -72,7 +72,7 @@ func (c *VerifyAttestationCommand) Exec(ctx context.Context, images []string) (e ociremoteOpts, err := c.ClientOpts(ctx) if err != nil { - return errors.Wrap(err, "constructing client options") + return fmt.Errorf("constructing client options: %w", err) } co := &cosign.CheckOpts{ RegistryClientOpts: ociremoteOpts, @@ -87,7 +87,7 @@ func (c *VerifyAttestationCommand) Exec(ctx context.Context, images []string) (e if c.RekorURL != "" { rekorClient, err := rekor.NewClient(c.RekorURL) if err != nil { - return errors.Wrap(err, "creating Rekor client") + return fmt.Errorf("creating Rekor client: %w", err) } co.RekorClient = rekorClient } @@ -101,7 +101,7 @@ func (c *VerifyAttestationCommand) Exec(ctx context.Context, images []string) (e case keyRef != "": co.SigVerifier, err = sigs.PublicKeyFromKeyRef(ctx, keyRef) if err != nil { - return errors.Wrap(err, "loading public key") + return fmt.Errorf("loading public key: %w", err) } pkcs11Key, ok := co.SigVerifier.(*pkcs11key.Key) if ok { @@ -110,17 +110,17 @@ func (c *VerifyAttestationCommand) Exec(ctx context.Context, images []string) (e case c.Sk: sk, err := pivkey.GetKeyWithSlot(c.Slot) if err != nil { - return errors.Wrap(err, "opening piv token") + return fmt.Errorf("opening piv token: %w", err) } defer sk.Close() co.SigVerifier, err = sk.Verifier() if err != nil { - return errors.Wrap(err, "initializing piv token verifier") + return fmt.Errorf("initializing piv token verifier: %w", err) } case c.CertRef != "": cert, err := loadCertFromFileOrURL(c.CertRef) if err != nil { - return errors.Wrap(err, "loading certificate from reference") + return fmt.Errorf("loading certificate from reference: %w", err) } if c.CertChain == "" { err = cosign.CheckCertificatePolicy(cert, co) @@ -129,7 +129,7 @@ func (c *VerifyAttestationCommand) Exec(ctx context.Context, images []string) (e } co.SigVerifier, err = signature.LoadVerifier(cert.PublicKey, crypto.SHA256) if err != nil { - return errors.Wrap(err, "creating certificate verifier") + return fmt.Errorf("creating certificate verifier: %w", err) } } else { // Verify certificate with chain @@ -139,7 +139,7 @@ func (c *VerifyAttestationCommand) Exec(ctx context.Context, images []string) (e } co.SigVerifier, err = cosign.ValidateAndUnpackCertWithChain(cert, chain, co) if err != nil { - return errors.Wrap(err, "creating certificate verifier") + return fmt.Errorf("creating certificate verifier: %w", err) } } } @@ -189,7 +189,7 @@ func (c *VerifyAttestationCommand) Exec(ctx context.Context, images []string) (e for _, vp := range verified { payload, err := policy.AttestationToPayloadJSON(ctx, c.PredicateType, vp) if err != nil { - return errors.Wrap(err, "converting to consumable policy validation") + return fmt.Errorf("converting to consumable policy validation: %w", err) } if len(payload) == 0 { // This is not the predicate type we're looking for. diff --git a/cmd/cosign/cli/verify/verify_blob.go b/cmd/cosign/cli/verify/verify_blob.go index ccdc27b3d99..b64119f0705 100644 --- a/cmd/cosign/cli/verify/verify_blob.go +++ b/cmd/cosign/cli/verify/verify_blob.go @@ -24,13 +24,13 @@ import ( "encoding/base64" "encoding/hex" "encoding/json" + "errors" "fmt" "io" "os" "time" "github.com/go-openapi/runtime" - "github.com/pkg/errors" ssldsse "github.com/secure-systems-lab/go-securesystemslib/dsse" "github.com/sigstore/cosign/cmd/cosign/cli/fulcio" "github.com/sigstore/cosign/cmd/cosign/cli/options" @@ -84,7 +84,7 @@ func VerifyBlobCmd(ctx context.Context, ko options.KeyOpts, certRef, certEmail, case ko.KeyRef != "": verifier, err = sigs.PublicKeyFromKeyRef(ctx, ko.KeyRef) if err != nil { - return errors.Wrap(err, "loading public key") + return fmt.Errorf("loading public key: %w", err) } pkcs11Key, ok := verifier.(*pkcs11key.Key) if ok { @@ -93,12 +93,12 @@ func VerifyBlobCmd(ctx context.Context, ko options.KeyOpts, certRef, certEmail, case ko.Sk: sk, err := pivkey.GetKeyWithSlot(ko.Slot) if err != nil { - return errors.Wrap(err, "opening piv token") + return fmt.Errorf("opening piv token: %w", err) } defer sk.Close() verifier, err = sk.Verifier() if err != nil { - return errors.Wrap(err, "loading public key from token") + return fmt.Errorf("loading public key from token: %w", err) } case certRef != "": cert, err = loadCertFromFileOrURL(certRef) @@ -356,7 +356,7 @@ func verifyRekorBundle(ctx context.Context, bundlePath string, cert *x509.Certif } publicKeys, err := cosign.GetRekorPubs(ctx) if err != nil { - return errors.Wrap(err, "retrieving rekor public key") + return fmt.Errorf("retrieving rekor public key: %w", err) } pubKey, ok := publicKeys[b.Bundle.Payload.LogID]