add govulncheck to CI and improve CI actions

aead · aead · commit eb6dc4d13e52 · 2022-09-18T15:48:19.000+02:00
Signed-off-by: Andreas Auernhammer &lt;hi@aead.dev&gt;
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -1,16 +1,18 @@
-name: "CodeQL Scan"
+name: CodeQL
 on:
-  push:
   pull_request:
-  schedule:
-    - cron: '0 19 * * 0'
+    branches:
+    - main
+  push:
+    branches:
+    - main
 jobs:
-  CodeQL-Build:
-    # CodeQL runs on ubuntu-latest and windows-latest
+  codeql:
+    name: Analysis
     runs-on: ubuntu-latest
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v2
+      uses: actions/checkout@v3
       with:
         # We must fetch at least the immediate parents so that if this is
         # a pull request then we can checkout the head.
@@ -22,26 +24,15 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v1
+      uses: github/codeql-action/init@v2
       # Override language selection by uncommenting this and choosing your languages
       # with:
       #   languages: go, javascript, csharp, python, cpp, java
 
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@v1
-
-    # ℹ️ Command-line programs to run using the OS shell.
-    # 📚 https://git.io/JvXDl
-
-    # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
-    #    and modify them (or add more) to build your code if your project
-    #    uses a compiled language
-
-    #- run: |
-    #   make bootstrap
-    #   make release
-
+      uses: github/codeql-action/autobuild@v2
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v1
+      uses: github/codeql-action/analyze@v2
+
diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml
@@ -10,47 +10,40 @@ on:
 
 jobs:
   build:
-    name: Build Go ${{ matrix.go-version }}
+    name: Build ${{ matrix.go-version }}
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        go-version: [1.16.x, 1.17.x]
+        go-version: [1.19.1]
     steps:
     - name: Set up Go ${{ matrix.go-version }}
-      uses: actions/setup-go@v1
+      uses: actions/setup-go@v3
       with:
         go-version: ${{ matrix.go-version }}
-      id: go
-
     - name: Check out code into the Go module directory
-      uses: actions/checkout@v1
-
-    - name: Build
+      uses: actions/checkout@v3
+    - name: Build and Lint
       env:
         GO111MODULE: on
       run: |
-         curl -sfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin v1.42.0
-         $(go env GOPATH)/bin/golangci-lint run --config ./.golangci.yml
+         go build ./...
          go vet ./...
+         curl -sfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin v1.48.0
+         $(go env GOPATH)/bin/golangci-lint run --config ./.golangci.yml
   test:
-    name: Test Go ${{ matrix.go-version }} on ${{ matrix.os }}
+    name: Text ${{ matrix.os }}
     runs-on: ${{ matrix.os }}
     strategy:
       matrix:
-        go-version: [1.17.x]
+        go-version: [1.19.1]
         os: [ubuntu-latest, windows-latest, macos-latest]
     steps:
     - name: Set up Go ${{ matrix.go-version }} on ${{ matrix.os }}
-      uses: actions/setup-go@v1
+      uses: actions/setup-go@v3
       with:
         go-version: ${{ matrix.go-version }}
-      id: go
-
     - name: Check out code into the Go module directory
-      uses: actions/checkout@v1
-
+      uses: actions/checkout@v3
     - name: Test on ${{ matrix.os }}
-      env:
-        GO111MODULE: on
       run: |
-         go test -v ./...
+         go test ./...
diff --git a/.github/workflows/vulncheck.yml b/.github/workflows/vulncheck.yml
@@ -0,0 +1,26 @@
+ame: VulnCheck
+on:
+  pull_request:
+    branches:
+    - main
+  push:
+    branches:
+    - main
+jobs:
+  vulncheck:
+    name: Analysis
+    runs-on: ubuntu-latest
+    steps:
+    - name: Check out code into the Go module directory
+      uses: actions/checkout@v3
+    - name: Set up Go
+      uses: actions/setup-go@v3
+      with:
+        go-version: 1.19.1
+        check-latest: true
+    - name: Install govulncheck
+      run: go install golang.org/x/vuln/cmd/govulncheck@latest
+      shell: bash
+    - name: Run govulncheck
+      run: govulncheck ./...
+      shell: bash
diff --git a/minisign.go b/minisign.go
@@ -162,7 +162,7 @@ func Verify(publicKey PublicKey, message, signature []byte) bool {
 }
 
 func sign(privateKey PrivateKey, message []byte, trustedComment, untrustedComment string, isHashed bool) []byte {
-	var algorithm = EdDSA
+	algorithm := EdDSA
 	if isHashed {
 		algorithm = HashEdDSA
 	}
diff --git a/minisign_test.go b/minisign_test.go
@@ -60,5 +60,4 @@ func TestReaderRoundtrip(t *testing.T) {
 	if !reader.Verify(publicKey, signature) {
 		t.Fatalf("Verification failed: signature %q - public key %q", signature, publicKey)
 	}
-
 }
diff --git a/private.go b/private.go
@@ -195,9 +195,9 @@ func DecryptKey(password string, privateKey []byte) (PrivateKey, error) {
 }
 
 // encryptKey encrypts the plaintext and returns a ciphertext by:
-//   1. tag        = BLAKE2b-256(EdDSA-const || plaintext)
-//   2. keystream  = Scrypt(password, salt, convert(ops, mem))
-//   3. ciphertext = (plaintext || tag) ⊕ keystream
+//  1. tag        = BLAKE2b-256(EdDSA-const || plaintext)
+//  2. keystream  = Scrypt(password, salt, convert(ops, mem))
+//  3. ciphertext = (plaintext || tag) ⊕ keystream
 //
 // Therefore, decryptKey converts the ops and mem cost parameters
 // to the (N, r, p)-tuple expected by Scrypt.
@@ -233,9 +233,9 @@ func encryptKey(password string, salt []byte, ops, mem uint64, plaintext []byte)
 }
 
 // decryptKey decrypts the ciphertext and returns a plaintext by:
-//   1. keystream        = Scrypt(password, salt, convert(ops, mem))
-//   2. plaintext || tag = ciphertext ⊕ keystream
-//   3. Check that: tag == BLAKE2b-256(EdDSA-const || plaintext)
+//  1. keystream        = Scrypt(password, salt, convert(ops, mem))
+//  2. plaintext || tag = ciphertext ⊕ keystream
+//  3. Check that: tag == BLAKE2b-256(EdDSA-const || plaintext)
 //
 // Therefore, decryptKey converts the ops and mem cost parameters to
 // the (N, r, p)-tuple expected by Scrypt.
diff --git a/public.go b/public.go
@@ -1,3 +1,7 @@
+// Copyright (c) 2021 Andreas Auernhammer. All rights reserved.
+// Use of this source code is governed by a license that can be
+// found in the LICENSE file.
+
 package minisign
 
 import (
@@ -65,7 +69,7 @@ func (p PublicKey) String() string {
 //
 // It never returns an error.
 func (p PublicKey) MarshalText() ([]byte, error) {
-	var comment = "untrusted comment: minisign public key: " + strings.ToUpper(strconv.FormatUint(p.ID(), 16)) + "\n"
+	comment := "untrusted comment: minisign public key: " + strings.ToUpper(strconv.FormatUint(p.ID(), 16)) + "\n"
 	return []byte(comment + p.String()), nil
 }
 
diff --git a/signature.go b/signature.go
@@ -35,15 +35,16 @@ func SignatureFromFile(file string) (Signature, error) {
 //
 // A signature is generated when signing a message with
 // a private key:
-//   signature = Sign(privateKey, message)
+//
+//	signature = Sign(privateKey, message)
 //
 // The signature of a message can then be verified with the
 // corresponding public key:
-//   if Verify(publicKey, message, signature) {
-//      // => signature is valid
-//      // => message has been signed with correspoding private key
-//   }
 //
+//	if Verify(publicKey, message, signature) {
+//	   // => signature is valid
+//	   // => message has been signed with correspoding private key
+//	}
 type Signature struct {
 	_ [0]func() // enforce named assignment and prevent direct comparison
 
diff --git a/signature_test.go b/signature_test.go
@@ -92,15 +92,15 @@ var equalSignatureTests = []struct {
 			Algorithm:        EdDSA,
 			KeyID:            0xe7620f1842b4e81f,
 			UntrustedComment: `signature from minisign secret key`,
-			TrustedComment: `timestamp:1591521248	file:minisign-0.9.tar.gz`,
+			TrustedComment:   `timestamp:1591521248	file:minisign-0.9.tar.gz`,
 			Signature:        [64]byte{20, 99, 118, 100, 132, 21, 202, 44, 47, 123, 240, 66, 228, 28, 175, 132, 143, 49, 11, 188, 252, 49, 53, 73, 106, 154, 66, 249, 67, 203, 35, 77, 156, 24, 226, 182, 244, 241, 252, 5, 244, 97, 127, 41, 191, 156, 128, 14, 117, 64, 157, 164, 36, 146, 238, 203, 151, 33, 174, 82, 239, 66, 73, 10},
 			CommentSignature: [64]byte{148, 178, 205, 92, 217, 151, 10, 78, 112, 147, 154, 17, 47, 24, 233, 136, 141, 16, 37, 217, 29, 77, 64, 75, 217, 55, 69, 178, 114, 188, 40, 93, 6, 130, 93, 121, 211, 7, 19, 198, 190, 160, 33, 49, 136, 129, 80, 249, 121, 170, 165, 216, 105, 97, 230, 151, 208, 109, 244, 227, 46, 121, 241, 15},
 		},
 		B: Signature{
 			Algorithm:        EdDSA,
 			KeyID:            0xe7620f1842b4e81f,
 			UntrustedComment: `signature from minisign secret key`,
-			TrustedComment: `timestamp:1591521248	file:minisign-0.9.tar.gz`,
+			TrustedComment:   `timestamp:1591521248	file:minisign-0.9.tar.gz`,
 			Signature:        [64]byte{20, 99, 118, 100, 132, 21, 202, 44, 47, 123, 240, 66, 228, 28, 175, 132, 143, 49, 11, 188, 252, 49, 53, 73, 106, 154, 66, 249, 67, 203, 35, 77, 156, 24, 226, 182, 244, 241, 252, 5, 244, 97, 127, 41, 191, 156, 128, 14, 117, 64, 157, 164, 36, 146, 238, 203, 151, 33, 174, 82, 239, 66, 73, 10},
 			CommentSignature: [64]byte{148, 178, 205, 92, 217, 151, 10, 78, 112, 147, 154, 17, 47, 24, 233, 136, 141, 16, 37, 217, 29, 77, 64, 75, 217, 55, 69, 178, 114, 188, 40, 93, 6, 130, 93, 121, 211, 7, 19, 198, 190, 160, 33, 49, 136, 129, 80, 249, 121, 170, 165, 216, 105, 97, 230, 151, 208, 109, 244, 227, 46, 121, 241, 15},
 		},
@@ -123,8 +123,8 @@ var equalSignatureTests = []struct {
 		Equal: false, // KeyID differs
 	},
 	{
-		A: Signature{TrustedComment: `timestamp:1591521248	file:minisign-0.9.tar.gz`},
-		B: Signature{TrustedComment: `timestamp:1591521249	file:minisign-0.9.tar.gz`},
+		A:     Signature{TrustedComment: `timestamp:1591521248	file:minisign-0.9.tar.gz`},
+		B:     Signature{TrustedComment: `timestamp:1591521249	file:minisign-0.9.tar.gz`},
 		Equal: false, // TrustedComment differs
 	},
 	{
@@ -165,24 +165,24 @@ var marshalSignatureTests = []struct {
 			Algorithm:        EdDSA,
 			KeyID:            0xe7620f1842b4e81f,
 			UntrustedComment: `signature from minisign secret key`,
-			TrustedComment: `timestamp:1591521248	file:minisign-0.9.tar.gz`,
+			TrustedComment:   `timestamp:1591521248	file:minisign-0.9.tar.gz`,
 		},
 	},
 	{
 		Signature: Signature{
 			Algorithm:        EdDSA,
 			KeyID:            0xe7620f1842b4e81f,
 			UntrustedComment: `signature from minisign secret key`,
-			TrustedComment: `timestamp:1591521248	file:minisign-0.9.tar.gz`,
-			Signature: [64]byte{20, 99, 118, 100, 132, 21, 202, 44, 47, 123, 240, 66, 228, 28, 175, 132, 143, 49, 11, 188, 252, 49, 53, 73, 106, 154, 66, 249, 67, 203, 35, 77, 156, 24, 226, 182, 244, 241, 252, 5, 244, 97, 127, 41, 191, 156, 128, 14, 117, 64, 157, 164, 36, 146, 238, 203, 151, 33, 174, 82, 239, 66, 73, 10},
+			TrustedComment:   `timestamp:1591521248	file:minisign-0.9.tar.gz`,
+			Signature:        [64]byte{20, 99, 118, 100, 132, 21, 202, 44, 47, 123, 240, 66, 228, 28, 175, 132, 143, 49, 11, 188, 252, 49, 53, 73, 106, 154, 66, 249, 67, 203, 35, 77, 156, 24, 226, 182, 244, 241, 252, 5, 244, 97, 127, 41, 191, 156, 128, 14, 117, 64, 157, 164, 36, 146, 238, 203, 151, 33, 174, 82, 239, 66, 73, 10},
 		},
 	},
 	{
 		Signature: Signature{
 			Algorithm:        EdDSA,
 			KeyID:            0xe7620f1842b4e81f,
 			UntrustedComment: `signature from minisign secret key`,
-			TrustedComment: `timestamp:1591521248	file:minisign-0.9.tar.gz`,
+			TrustedComment:   `timestamp:1591521248	file:minisign-0.9.tar.gz`,
 			Signature:        [64]byte{20, 99, 118, 100, 132, 21, 202, 44, 47, 123, 240, 66, 228, 28, 175, 132, 143, 49, 11, 188, 252, 49, 53, 73, 106, 154, 66, 249, 67, 203, 35, 77, 156, 24, 226, 182, 244, 241, 252, 5, 244, 97, 127, 41, 191, 156, 128, 14, 117, 64, 157, 164, 36, 146, 238, 203, 151, 33, 174, 82, 239, 66, 73, 10},
 			CommentSignature: [64]byte{148, 178, 205, 92, 217, 151, 10, 78, 112, 147, 154, 17, 47, 24, 233, 136, 141, 16, 37, 217, 29, 77, 64, 75, 217, 55, 69, 178, 114, 188, 40, 93, 6, 130, 93, 121, 211, 7, 19, 198, 190, 160, 33, 49, 136, 129, 80, 249, 121, 170, 165, 216, 105, 97, 230, 151, 208, 109, 244, 227, 46, 121, 241, 15},
 		},
@@ -203,7 +203,7 @@ lLLNXNmXCk5wk5oRLxjpiI0QJdkdTUBL2TdFsnK8KF0Ggl150wcTxr6gITGIgVD5eaql2Glh5pfQbfTj
 			Algorithm:        EdDSA,
 			KeyID:            0xe7620f1842b4e81f,
 			UntrustedComment: `signature from minisign secret key`,
-			TrustedComment: `timestamp:1591521248	file:minisign-0.9.tar.gz`,
+			TrustedComment:   `timestamp:1591521248	file:minisign-0.9.tar.gz`,
 			Signature:        [64]byte{20, 99, 118, 100, 132, 21, 202, 44, 47, 123, 240, 66, 228, 28, 175, 132, 143, 49, 11, 188, 252, 49, 53, 73, 106, 154, 66, 249, 67, 203, 35, 77, 156, 24, 226, 182, 244, 241, 252, 5, 244, 97, 127, 41, 191, 156, 128, 14, 117, 64, 157, 164, 36, 146, 238, 203, 151, 33, 174, 82, 239, 66, 73, 10},
 			CommentSignature: [64]byte{148, 178, 205, 92, 217, 151, 10, 78, 112, 147, 154, 17, 47, 24, 233, 136, 141, 16, 37, 217, 29, 77, 64, 75, 217, 55, 69, 178, 114, 188, 40, 93, 6, 130, 93, 121, 211, 7, 19, 198, 190, 160, 33, 49, 136, 129, 80, 249, 121, 170, 165, 216, 105, 97, 230, 151, 208, 109, 244, 227, 46, 121, 241, 15},
 		},
@@ -217,7 +217,7 @@ lLLNXNmXCk5wk5oRLxjpiI0QJdkdTUBL2TdFsnK8KF0Ggl150wcTxr6gITGIgVD5eaql2Glh5pfQbfTj
 			Algorithm:        EdDSA,
 			KeyID:            0xe7620f1842b4e81f,
 			UntrustedComment: `signature from minisign secret key`,
-			TrustedComment: `timestamp:1591521248	file:minisign-0.9.tar.gz`,
+			TrustedComment:   `timestamp:1591521248	file:minisign-0.9.tar.gz`,
 			Signature:        [64]byte{20, 99, 118, 100, 132, 21, 202, 44, 47, 123, 240, 66, 228, 28, 175, 132, 143, 49, 11, 188, 252, 49, 53, 73, 106, 154, 66, 249, 67, 203, 35, 77, 156, 24, 226, 182, 244, 241, 252, 5, 244, 97, 127, 41, 191, 156, 128, 14, 117, 64, 157, 164, 36, 146, 238, 203, 151, 33, 174, 82, 239, 66, 73, 10},
 			CommentSignature: [64]byte{148, 178, 205, 92, 217, 151, 10, 78, 112, 147, 154, 17, 47, 24, 233, 136, 141, 16, 37, 217, 29, 77, 64, 75, 217, 55, 69, 178, 114, 188, 40, 93, 6, 130, 93, 121, 211, 7, 19, 198, 190, 160, 33, 49, 136, 129, 80, 249, 121, 170, 165, 216, 105, 97, 230, 151, 208, 109, 244, 227, 46, 121, 241, 15},
 		},

Original file line number	Diff line number	Diff line change
`@@ -162,7 +162,7 @@ func Verify(publicKey PublicKey, message, signature []byte) bool {`
`162`	`162`	`}`
`163`	`163`
`164`	`164`	`func sign(privateKey PrivateKey, message []byte, trustedComment, untrustedComment string, isHashed bool) []byte {`
`165`		`- var algorithm = EdDSA`
	`165`	`+ algorithm := EdDSA`
`166`	`166`	`if isHashed {`
`167`	`167`	`algorithm = HashEdDSA`
`168`	`168`	`}`
Original file line number	Diff line number	Diff line change
`@@ -60,5 +60,4 @@ func TestReaderRoundtrip(t *testing.T) {`
`60`	`60`	`if !reader.Verify(publicKey, signature) {`
`61`	`61`	`t.Fatalf("Verification failed: signature %q - public key %q", signature, publicKey)`
`62`	`62`	`}`
`63`		`-`
`64`	`63`	`}`