From d99461668011e95bf469553f681fb3771d0a7196 Mon Sep 17 00:00:00 2001 From: Flavio Castelli Date: Tue, 29 Aug 2023 18:17:39 +0200 Subject: [PATCH 1/3] chore: fix clippy warnings Ensure latest version of clippy shipped with rust 1.72 is happy Signed-off-by: Flavio Castelli --- examples/cosign/verify-blob/main.rs | 2 +- examples/cosign/verify-bundle/main.rs | 2 +- examples/cosign/verify/main.rs | 13 +++++-------- src/cosign/bundle.rs | 2 +- src/crypto/signing_key/kdf.rs | 2 +- src/tuf/constants.rs | 2 +- src/tuf/repository_helper.rs | 6 +++--- 7 files changed, 13 insertions(+), 16 deletions(-) diff --git a/examples/cosign/verify-blob/main.rs b/examples/cosign/verify-blob/main.rs index 0a9fb5604c..16e941fcd5 100644 --- a/examples/cosign/verify-blob/main.rs +++ b/examples/cosign/verify-blob/main.rs @@ -58,7 +58,7 @@ pub async fn main() { let certificate = fs::read_to_string(&cli.certificate).expect("error reading certificate"); let signature = fs::read_to_string(&cli.signature).expect("error reading signature"); - let blob = fs::read(&cli.blob.as_str()).expect("error reading blob file"); + let blob = fs::read(cli.blob.as_str()).expect("error reading blob file"); match Client::verify_blob(&certificate, &signature, &blob) { Ok(_) => println!("Verification succeeded"), diff --git a/examples/cosign/verify-bundle/main.rs b/examples/cosign/verify-bundle/main.rs index eafc5b75e5..f8730f0765 100644 --- a/examples/cosign/verify-bundle/main.rs +++ b/examples/cosign/verify-bundle/main.rs @@ -59,7 +59,7 @@ pub async fn main() { CosignVerificationKey::from_pem(rekor_pub_pem.as_bytes(), &SigningScheme::default()) .expect("Cannot create Rekor verification key"); let bundle_json = fs::read_to_string(&cli.bundle).expect("error reading bundle json file"); - let blob = fs::read(&cli.blob.as_str()).expect("error reading blob file"); + let blob = fs::read(cli.blob.as_str()).expect("error reading blob file"); let bundle = SignedArtifactBundle::new_verified(&bundle_json, &rekor_pub_key).unwrap(); match Client::verify_blob(&bundle.cert, &bundle.base64_signature, &blob) { diff --git a/examples/cosign/verify/main.rs b/examples/cosign/verify/main.rs index 8ee5dc91fb..b1d3cdcc67 100644 --- a/examples/cosign/verify/main.rs +++ b/examples/cosign/verify/main.rs @@ -140,7 +140,7 @@ async fn run_app( let cert_chain: Option> = match cli.cert_chain.as_ref() { None => None, - Some(cert_chain_path) => Some(parse_cert_bundle(&cert_chain_path)?), + Some(cert_chain_path) => Some(parse_cert_bundle(cert_chain_path)?), }; if !frd.fulcio_certs.is_empty() { @@ -201,12 +201,9 @@ async fn run_app( false }; - let verifier = CertificateVerifier::from_pem( - &cert, - require_rekor_bundle, - cert_chain.as_ref().map(|v| v.as_slice()), - ) - .map_err(|e| anyhow!("Cannot create certificate verifier: {}", e))?; + let verifier = + CertificateVerifier::from_pem(&cert, require_rekor_bundle, cert_chain.as_deref()) + .map_err(|e| anyhow!("Cannot create certificate verifier: {}", e))?; verification_constraints.push(Box::new(verifier)); } @@ -343,7 +340,7 @@ pub async fn main() { fn parse_cert_bundle(bundle_path: &str) -> Result> { let data = fs::read(bundle_path).map_err(|e| anyhow!("Error reading {}: {}", bundle_path, e))?; - let pems = pem::parse_many(&data)?; + let pems = pem::parse_many(data)?; Ok(pems .iter() diff --git a/src/cosign/bundle.rs b/src/cosign/bundle.rs index e9a94ad647..e484a64796 100644 --- a/src/cosign/bundle.rs +++ b/src/cosign/bundle.rs @@ -160,7 +160,7 @@ OSWS1X9vPavpiQOoTTGC0xX57OojUadxF1cdQmrsiReWg2Wn4FneJfa8xw== {"base64Signature":"MEQCIGp1XZP5zaImosrBhDPCdXn3f8xI9FHGLsGVx6UeRPCgAiAt5GrsdQhOKnZcA3EWecvgJSHzCIjWifFBQkD7Hdsymg==","cert":"LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNxRENDQWkrZ0F3SUJBZ0lVVFBXVGZPLzFOUmFTRmRlY2FBUS9wQkRHSnA4d0NnWUlLb1pJemowRUF3TXcKTnpFVk1CTUdBMVVFQ2hNTWMybG5jM1J2Y21VdVpHVjJNUjR3SEFZRFZRUURFeFZ6YVdkemRHOXlaUzFwYm5SbApjbTFsWkdsaGRHVXdIaGNOTWpJeE1USTFNRGN6TnpFeVdoY05Nakl4TVRJMU1EYzBOekV5V2pBQU1Ga3dFd1lICktvWkl6ajBDQVFZSUtvWkl6ajBEQVFjRFFnQUVKUVE0Vy81WFA5bTRZYldSQlF0SEdXd245dVVoYWUzOFVwY0oKcEVNM0RPczR6VzRNSXJNZlc0V1FEMGZ3cDhQVVVSRFh2UTM5NHBvcWdHRW1Ta3J1THFPQ0FVNHdnZ0ZLTUE0RwpBMVVkRHdFQi93UUVBd0lIZ0RBVEJnTlZIU1VFRERBS0JnZ3JCZ0VGQlFjREF6QWRCZ05WSFE0RUZnUVVvM0tuCmpKUVowWGZpZ2JENWIwT1ZOTjB4cVNvd0h3WURWUjBqQkJnd0ZvQVUzOVBwejFZa0VaYjVxTmpwS0ZXaXhpNFkKWkQ4d0p3WURWUjBSQVFIL0JCMHdHNEVaWkdGdWFXVnNMbUpsZG1WdWFYVnpRR2R0WVdsc0xtTnZiVEFzQmdvcgpCZ0VFQVlPL01BRUJCQjVvZEhSd2N6b3ZMMmRwZEdoMVlpNWpiMjB2Ykc5bmFXNHZiMkYxZEdnd2dZc0dDaXNHCkFRUUIxbmtDQkFJRWZRUjdBSGtBZHdEZFBUQnF4c2NSTW1NWkhoeVpaemNDb2twZXVONDhyZitIaW5LQUx5bnUKamdBQUFZU3R1Qkh5QUFBRUF3QklNRVlDSVFETTVZU1EvR0w2S0k1UjlPZGNuL3BTaytxVkQ2YnNMODMrRXA5UgoyaFdUYXdJaEFLMWppMWxaNTZEc2Z1TGZYN2JCQzluYlIzRWx4YWxCaHYxelFYTVU3dGx3TUFvR0NDcUdTTTQ5CkJBTURBMmNBTUdRQ01CSzh0c2dIZWd1aCtZaGVsM1BpakhRbHlKMVE1SzY0cDB4cURkbzdXNGZ4Zm9BUzl4clAKczJQS1FjZG9EOWJYd2dJd1g2ekxqeWJaa05IUDV4dEJwN3ZLMkZZZVp0ME9XTFJsVWxsY1VETDNULzdKUWZ3YwpHU3E2dlZCTndKMDB3OUhSCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K","rekorBundle":{"SignedEntryTimestamp":"MEUCIC3c+21v9pk6o4BpB/dRAM9lGnyWLi3Xnc+i8LmnNJmeAiEAiqZJbZHx3Idnw+zXv6yM0ipPw/p16R28YGuCJFQ1u8U=","Payload":{"body":"eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiI0YmM0NTNiNTNjYjNkOTE0YjQ1ZjRiMjUwMjk0MjM2YWRiYTJjMGUwOWZmNmYwMzc5Mzk0OWU3ZTM5ZmQ0Y2MxIn19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FUUNJR3AxWFpQNXphSW1vc3JCaERQQ2RYbjNmOHhJOUZIR0xzR1Z4NlVlUlBDZ0FpQXQ1R3JzZFFoT0tuWmNBM0VXZWN2Z0pTSHpDSWpXaWZGQlFrRDdIZHN5bWc9PSIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCRFJWSlVTVVpKUTBGVVJTMHRMUzB0Q2sxSlNVTnhSRU5EUVdrclowRjNTVUpCWjBsVlZGQlhWR1pQTHpGT1VtRlRSbVJsWTJGQlVTOXdRa1JIU25BNGQwTm5XVWxMYjFwSmVtb3dSVUYzVFhjS1RucEZWazFDVFVkQk1WVkZRMmhOVFdNeWJHNWpNMUoyWTIxVmRWcEhWakpOVWpSM1NFRlpSRlpSVVVSRmVGWjZZVmRrZW1SSE9YbGFVekZ3WW01U2JBcGpiVEZzV2tkc2FHUkhWWGRJYUdOT1RXcEplRTFVU1RGTlJHTjZUbnBGZVZkb1kwNU5ha2w0VFZSSk1VMUVZekJPZWtWNVYycEJRVTFHYTNkRmQxbElDa3R2V2tsNmFqQkRRVkZaU1V0dldrbDZhakJFUVZGalJGRm5RVVZLVVZFMFZ5ODFXRkE1YlRSWllsZFNRbEYwU0VkWGQyNDVkVlZvWVdVek9GVndZMG9LY0VWTk0wUlBjelI2VnpSTlNYSk5abGMwVjFGRU1HWjNjRGhRVlZWU1JGaDJVVE01TkhCdmNXZEhSVzFUYTNKMVRIRlBRMEZWTkhkblowWkxUVUUwUndwQk1WVmtSSGRGUWk5M1VVVkJkMGxJWjBSQlZFSm5UbFpJVTFWRlJFUkJTMEpuWjNKQ1owVkdRbEZqUkVGNlFXUkNaMDVXU0ZFMFJVWm5VVlZ2TTB0dUNtcEtVVm93V0dacFoySkVOV0l3VDFaT1RqQjRjVk52ZDBoM1dVUldVakJxUWtKbmQwWnZRVlV6T1ZCd2VqRlphMFZhWWpWeFRtcHdTMFpYYVhocE5Ga0tXa1E0ZDBwM1dVUldVakJTUVZGSUwwSkNNSGRITkVWYVdrZEdkV0ZYVm5OTWJVcHNaRzFXZFdGWVZucFJSMlIwV1Zkc2MweHRUblppVkVGelFtZHZjZ3BDWjBWRlFWbFBMMDFCUlVKQ1FqVnZaRWhTZDJONmIzWk1NbVJ3WkVkb01WbHBOV3BpTWpCMllrYzVibUZYTkhaaU1rWXhaRWRuZDJkWmMwZERhWE5IQ2tGUlVVSXhibXREUWtGSlJXWlJVamRCU0d0QlpIZEVaRkJVUW5GNGMyTlNUVzFOV2tob2VWcGFlbU5EYjJ0d1pYVk9ORGh5Wml0SWFXNUxRVXg1Ym5VS2FtZEJRVUZaVTNSMVFraDVRVUZCUlVGM1FrbE5SVmxEU1ZGRVRUVlpVMUV2UjB3MlMwazFVamxQWkdOdUwzQlRheXR4VmtRMlluTk1PRE1yUlhBNVVnb3lhRmRVWVhkSmFFRkxNV3BwTVd4YU5UWkVjMloxVEdaWU4ySkNRemx1WWxJelJXeDRZV3hDYUhZeGVsRllUVlUzZEd4M1RVRnZSME5EY1VkVFRUUTVDa0pCVFVSQk1tTkJUVWRSUTAxQ1N6aDBjMmRJWldkMWFDdFphR1ZzTTFCcGFraFJiSGxLTVZFMVN6WTBjREI0Y1VSa2J6ZFhOR1o0Wm05QlV6bDRjbEFLY3pKUVMxRmpaRzlFT1dKWWQyZEpkMWcyZWt4cWVXSmFhMDVJVURWNGRFSndOM1pMTWtaWlpWcDBNRTlYVEZKc1ZXeHNZMVZFVEROVUx6ZEtVV1ozWXdwSFUzRTJkbFpDVG5kS01EQjNPVWhTQ2kwdExTMHRSVTVFSUVORlVsUkpSa2xEUVZSRkxTMHRMUzBLIn19fX0=","integratedTime":1669361833,"logIndex":7810348,"logID":"c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d"}}} "#; let rekor_pub_key = get_rekor_public_key(); - let result = SignedArtifactBundle::new_verified(&bundle_raw, &rekor_pub_key); + let result = SignedArtifactBundle::new_verified(bundle_raw, &rekor_pub_key); assert!(result.is_ok()); let bundle = result.unwrap(); assert_eq!(bundle.rekor_bundle.payload.log_index, 7810348); diff --git a/src/crypto/signing_key/kdf.rs b/src/crypto/signing_key/kdf.rs index deb4372b8d..d90cd53000 100644 --- a/src/crypto/signing_key/kdf.rs +++ b/src/crypto/signing_key/kdf.rs @@ -280,7 +280,7 @@ mod tests { }); let data: Data = serde_json::from_value(input_json.clone()).expect("Cannot deserialize json Data"); - let actual_json = serde_json::to_value(&data).expect("Cannot serialize Data back to JSON"); + let actual_json = serde_json::to_value(data).expect("Cannot serialize Data back to JSON"); assert_json_eq!(input_json, actual_json); } } diff --git a/src/tuf/constants.rs b/src/tuf/constants.rs index 1515f08166..99231be2da 100644 --- a/src/tuf/constants.rs +++ b/src/tuf/constants.rs @@ -18,7 +18,7 @@ use regex::Regex; lazy_static! { pub(crate) static ref SIGSTORE_FULCIO_CERT_TARGET_REGEX: Regex = - Regex::new(r#"fulcio(_v\d+)?\.crt\.pem"#).expect("cannot compile regexp"); + Regex::new(r"fulcio(_v\d+)?\.crt\.pem").expect("cannot compile regexp"); } pub(crate) const SIGSTORE_METADATA_BASE: &str = "https://tuf-repo-cdn.sigstore.dev"; diff --git a/src/tuf/repository_helper.rs b/src/tuf/repository_helper.rs index c542caae91..a581619638 100644 --- a/src/tuf/repository_helper.rs +++ b/src/tuf/repository_helper.rs @@ -271,7 +271,7 @@ mod tests { let mut actual = helper.fulcio_certs().expect("fulcio certs cannot be read"); actual.sort(); let mut expected: Vec = - vec!["fulcio.crt.pem", "fulcio_v1.crt.pem"] + ["fulcio.crt.pem", "fulcio_v1.crt.pem"] .iter() .map(|filename| { let data = fs::read( @@ -322,7 +322,7 @@ mod tests { let mut actual = helper.fulcio_certs().expect("fulcio certs cannot be read"); actual.sort(); let mut expected: Vec = - vec!["fulcio.crt.pem", "fulcio_v1.crt.pem"] + ["fulcio.crt.pem", "fulcio_v1.crt.pem"] .iter() .map(|filename| { let data = fs::read( @@ -379,7 +379,7 @@ mod tests { let mut actual = helper.fulcio_certs().expect("fulcio certs cannot be read"); actual.sort(); let mut expected: Vec = - vec!["fulcio.crt.pem", "fulcio_v1.crt.pem"] + ["fulcio.crt.pem", "fulcio_v1.crt.pem"] .iter() .map(|filename| { let data = fs::read( From 3aa96e81fd243458a2d8023942680968cc693a46 Mon Sep 17 00:00:00 2001 From: Flavio Castelli Date: Tue, 29 Aug 2023 18:34:56 +0200 Subject: [PATCH 2/3] chore(clippy): remove allowed lint The GH action running clippy was configured to ignore a clippy linter warning. This lint error has been fixed, hence the exception can be removed. Moreover, the Makefile has been updated to ensure clippy is invoked in the same way as by the GH action. Signed-off-by: Flavio Castelli --- .github/workflows/tests.yml | 2 +- Makefile | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 894087b3c3..4e9fb654d7 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -78,4 +78,4 @@ jobs: - uses: actions-rs/cargo@844f36862e911db73fe0815f00a4a2602c279505 # v1.0.3 with: command: clippy - args: --workspace -- -D warnings -A clippy::derive-partial-eq-without-eq + args: --workspace -- -D warnings diff --git a/Makefile b/Makefile index c9f7ad6714..1316c293ee 100644 --- a/Makefile +++ b/Makefile @@ -8,7 +8,7 @@ fmt: .PHONY: lint lint: - cargo clippy -- -D warnings + cargo clippy --workspace -- -D warnings .PHONY: doc doc: From 658ebfb1a2f9bada56ed97c678bcce0eccb3f7e6 Mon Sep 17 00:00:00 2001 From: Flavio Castelli Date: Wed, 30 Aug 2023 09:00:25 +0200 Subject: [PATCH 3/3] chore(deps): update to latest version of chrono Update to latest version of chrono, fix deprecation warnings. Signed-off-by: Flavio Castelli --- Cargo.toml | 4 ++-- src/cosign/verification_constraint/certificate_verifier.rs | 2 +- src/crypto/certificate.rs | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/Cargo.toml b/Cargo.toml index e88b17539d..b61e5812f8 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -71,7 +71,7 @@ async-trait = "0.1.52" base64 = "0.21.0" cached = { version = "0.44.0", optional = true } cfg-if = "1.0.0" -chrono = { version = "0.4.23", default-features = false } +chrono = { version = "0.4.27", default-features = false } const-oid = "0.9.1" digest = { version = "0.10.3", default-features = false } ecdsa = { version = "0.16.7", features = ["pkcs8", "digest", "der", "signing"] } @@ -123,7 +123,7 @@ zeroize = "1.5.7" [dev-dependencies] anyhow = { version = "1.0", features = ["backtrace"] } assert-json-diff = "2.0.2" -chrono = "0.4.20" +chrono = "0.4.27" clap = { version = "4.0.8", features = ["derive"] } docker_credential = "1.1.0" openssl = "0.10.38" diff --git a/src/cosign/verification_constraint/certificate_verifier.rs b/src/cosign/verification_constraint/certificate_verifier.rs index 073463d06d..bdfabffe8f 100644 --- a/src/cosign/verification_constraint/certificate_verifier.rs +++ b/src/cosign/verification_constraint/certificate_verifier.rs @@ -83,7 +83,7 @@ impl VerificationConstraint for CertificateVerifier { } match &signature_layer.bundle { Some(bundle) => { - let it = DateTime::::from_utc( + let it = DateTime::::from_naive_utc_and_offset( NaiveDateTime::from_timestamp_opt(bundle.payload.integrated_time, 0).ok_or( SigstoreError::UnexpectedError("timestamp is not legal".into()), )?, diff --git a/src/crypto/certificate.rs b/src/crypto/certificate.rs index 3273261c7d..943df12923 100644 --- a/src/crypto/certificate.rs +++ b/src/crypto/certificate.rs @@ -91,7 +91,7 @@ pub(crate) fn verify_validity(certificate: &Certificate) -> Result<()> { } fn verify_expiration(certificate: &Certificate, integrated_time: i64) -> Result<()> { - let it = DateTime::::from_utc( + let it = DateTime::::from_naive_utc_and_offset( NaiveDateTime::from_timestamp_opt(integrated_time, 0) .ok_or(SigstoreError::X509Error("timestamp is not legal".into()))?, Utc,