diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 894087b3c3..4e9fb654d7 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -78,4 +78,4 @@ jobs: - uses: actions-rs/cargo@844f36862e911db73fe0815f00a4a2602c279505 # v1.0.3 with: command: clippy - args: --workspace -- -D warnings -A clippy::derive-partial-eq-without-eq + args: --workspace -- -D warnings diff --git a/Cargo.toml b/Cargo.toml index e88b17539d..b61e5812f8 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -71,7 +71,7 @@ async-trait = "0.1.52" base64 = "0.21.0" cached = { version = "0.44.0", optional = true } cfg-if = "1.0.0" -chrono = { version = "0.4.23", default-features = false } +chrono = { version = "0.4.27", default-features = false } const-oid = "0.9.1" digest = { version = "0.10.3", default-features = false } ecdsa = { version = "0.16.7", features = ["pkcs8", "digest", "der", "signing"] } @@ -123,7 +123,7 @@ zeroize = "1.5.7" [dev-dependencies] anyhow = { version = "1.0", features = ["backtrace"] } assert-json-diff = "2.0.2" -chrono = "0.4.20" +chrono = "0.4.27" clap = { version = "4.0.8", features = ["derive"] } docker_credential = "1.1.0" openssl = "0.10.38" diff --git a/Makefile b/Makefile index c9f7ad6714..1316c293ee 100644 --- a/Makefile +++ b/Makefile @@ -8,7 +8,7 @@ fmt: .PHONY: lint lint: - cargo clippy -- -D warnings + cargo clippy --workspace -- -D warnings .PHONY: doc doc: diff --git a/examples/cosign/verify-blob/main.rs b/examples/cosign/verify-blob/main.rs index 0a9fb5604c..16e941fcd5 100644 --- a/examples/cosign/verify-blob/main.rs +++ b/examples/cosign/verify-blob/main.rs @@ -58,7 +58,7 @@ pub async fn main() { let certificate = fs::read_to_string(&cli.certificate).expect("error reading certificate"); let signature = fs::read_to_string(&cli.signature).expect("error reading signature"); - let blob = fs::read(&cli.blob.as_str()).expect("error reading blob file"); + let blob = fs::read(cli.blob.as_str()).expect("error reading blob file"); match Client::verify_blob(&certificate, &signature, &blob) { Ok(_) => println!("Verification succeeded"), diff --git a/examples/cosign/verify-bundle/main.rs b/examples/cosign/verify-bundle/main.rs index eafc5b75e5..f8730f0765 100644 --- a/examples/cosign/verify-bundle/main.rs +++ b/examples/cosign/verify-bundle/main.rs @@ -59,7 +59,7 @@ pub async fn main() { CosignVerificationKey::from_pem(rekor_pub_pem.as_bytes(), &SigningScheme::default()) .expect("Cannot create Rekor verification key"); let bundle_json = fs::read_to_string(&cli.bundle).expect("error reading bundle json file"); - let blob = fs::read(&cli.blob.as_str()).expect("error reading blob file"); + let blob = fs::read(cli.blob.as_str()).expect("error reading blob file"); let bundle = SignedArtifactBundle::new_verified(&bundle_json, &rekor_pub_key).unwrap(); match Client::verify_blob(&bundle.cert, &bundle.base64_signature, &blob) { diff --git a/examples/cosign/verify/main.rs b/examples/cosign/verify/main.rs index 8ee5dc91fb..b1d3cdcc67 100644 --- a/examples/cosign/verify/main.rs +++ b/examples/cosign/verify/main.rs @@ -140,7 +140,7 @@ async fn run_app( let cert_chain: Option> = match cli.cert_chain.as_ref() { None => None, - Some(cert_chain_path) => Some(parse_cert_bundle(&cert_chain_path)?), + Some(cert_chain_path) => Some(parse_cert_bundle(cert_chain_path)?), }; if !frd.fulcio_certs.is_empty() { @@ -201,12 +201,9 @@ async fn run_app( false }; - let verifier = CertificateVerifier::from_pem( - &cert, - require_rekor_bundle, - cert_chain.as_ref().map(|v| v.as_slice()), - ) - .map_err(|e| anyhow!("Cannot create certificate verifier: {}", e))?; + let verifier = + CertificateVerifier::from_pem(&cert, require_rekor_bundle, cert_chain.as_deref()) + .map_err(|e| anyhow!("Cannot create certificate verifier: {}", e))?; verification_constraints.push(Box::new(verifier)); } @@ -343,7 +340,7 @@ pub async fn main() { fn parse_cert_bundle(bundle_path: &str) -> Result> { let data = fs::read(bundle_path).map_err(|e| anyhow!("Error reading {}: {}", bundle_path, e))?; - let pems = pem::parse_many(&data)?; + let pems = pem::parse_many(data)?; Ok(pems .iter() diff --git a/src/cosign/bundle.rs b/src/cosign/bundle.rs index e9a94ad647..e484a64796 100644 --- a/src/cosign/bundle.rs +++ b/src/cosign/bundle.rs @@ -160,7 +160,7 @@ OSWS1X9vPavpiQOoTTGC0xX57OojUadxF1cdQmrsiReWg2Wn4FneJfa8xw== {"base64Signature":"MEQCIGp1XZP5zaImosrBhDPCdXn3f8xI9FHGLsGVx6UeRPCgAiAt5GrsdQhOKnZcA3EWecvgJSHzCIjWifFBQkD7Hdsymg==","cert":"LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNxRENDQWkrZ0F3SUJBZ0lVVFBXVGZPLzFOUmFTRmRlY2FBUS9wQkRHSnA4d0NnWUlLb1pJemowRUF3TXcKTnpFVk1CTUdBMVVFQ2hNTWMybG5jM1J2Y21VdVpHVjJNUjR3SEFZRFZRUURFeFZ6YVdkemRHOXlaUzFwYm5SbApjbTFsWkdsaGRHVXdIaGNOTWpJeE1USTFNRGN6TnpFeVdoY05Nakl4TVRJMU1EYzBOekV5V2pBQU1Ga3dFd1lICktvWkl6ajBDQVFZSUtvWkl6ajBEQVFjRFFnQUVKUVE0Vy81WFA5bTRZYldSQlF0SEdXd245dVVoYWUzOFVwY0oKcEVNM0RPczR6VzRNSXJNZlc0V1FEMGZ3cDhQVVVSRFh2UTM5NHBvcWdHRW1Ta3J1THFPQ0FVNHdnZ0ZLTUE0RwpBMVVkRHdFQi93UUVBd0lIZ0RBVEJnTlZIU1VFRERBS0JnZ3JCZ0VGQlFjREF6QWRCZ05WSFE0RUZnUVVvM0tuCmpKUVowWGZpZ2JENWIwT1ZOTjB4cVNvd0h3WURWUjBqQkJnd0ZvQVUzOVBwejFZa0VaYjVxTmpwS0ZXaXhpNFkKWkQ4d0p3WURWUjBSQVFIL0JCMHdHNEVaWkdGdWFXVnNMbUpsZG1WdWFYVnpRR2R0WVdsc0xtTnZiVEFzQmdvcgpCZ0VFQVlPL01BRUJCQjVvZEhSd2N6b3ZMMmRwZEdoMVlpNWpiMjB2Ykc5bmFXNHZiMkYxZEdnd2dZc0dDaXNHCkFRUUIxbmtDQkFJRWZRUjdBSGtBZHdEZFBUQnF4c2NSTW1NWkhoeVpaemNDb2twZXVONDhyZitIaW5LQUx5bnUKamdBQUFZU3R1Qkh5QUFBRUF3QklNRVlDSVFETTVZU1EvR0w2S0k1UjlPZGNuL3BTaytxVkQ2YnNMODMrRXA5UgoyaFdUYXdJaEFLMWppMWxaNTZEc2Z1TGZYN2JCQzluYlIzRWx4YWxCaHYxelFYTVU3dGx3TUFvR0NDcUdTTTQ5CkJBTURBMmNBTUdRQ01CSzh0c2dIZWd1aCtZaGVsM1BpakhRbHlKMVE1SzY0cDB4cURkbzdXNGZ4Zm9BUzl4clAKczJQS1FjZG9EOWJYd2dJd1g2ekxqeWJaa05IUDV4dEJwN3ZLMkZZZVp0ME9XTFJsVWxsY1VETDNULzdKUWZ3YwpHU3E2dlZCTndKMDB3OUhSCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K","rekorBundle":{"SignedEntryTimestamp":"MEUCIC3c+21v9pk6o4BpB/dRAM9lGnyWLi3Xnc+i8LmnNJmeAiEAiqZJbZHx3Idnw+zXv6yM0ipPw/p16R28YGuCJFQ1u8U=","Payload":{"body":"eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiI0YmM0NTNiNTNjYjNkOTE0YjQ1ZjRiMjUwMjk0MjM2YWRiYTJjMGUwOWZmNmYwMzc5Mzk0OWU3ZTM5ZmQ0Y2MxIn19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FUUNJR3AxWFpQNXphSW1vc3JCaERQQ2RYbjNmOHhJOUZIR0xzR1Z4NlVlUlBDZ0FpQXQ1R3JzZFFoT0tuWmNBM0VXZWN2Z0pTSHpDSWpXaWZGQlFrRDdIZHN5bWc9PSIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCRFJWSlVTVVpKUTBGVVJTMHRMUzB0Q2sxSlNVTnhSRU5EUVdrclowRjNTVUpCWjBsVlZGQlhWR1pQTHpGT1VtRlRSbVJsWTJGQlVTOXdRa1JIU25BNGQwTm5XVWxMYjFwSmVtb3dSVUYzVFhjS1RucEZWazFDVFVkQk1WVkZRMmhOVFdNeWJHNWpNMUoyWTIxVmRWcEhWakpOVWpSM1NFRlpSRlpSVVVSRmVGWjZZVmRrZW1SSE9YbGFVekZ3WW01U2JBcGpiVEZzV2tkc2FHUkhWWGRJYUdOT1RXcEplRTFVU1RGTlJHTjZUbnBGZVZkb1kwNU5ha2w0VFZSSk1VMUVZekJPZWtWNVYycEJRVTFHYTNkRmQxbElDa3R2V2tsNmFqQkRRVkZaU1V0dldrbDZhakJFUVZGalJGRm5RVVZLVVZFMFZ5ODFXRkE1YlRSWllsZFNRbEYwU0VkWGQyNDVkVlZvWVdVek9GVndZMG9LY0VWTk0wUlBjelI2VnpSTlNYSk5abGMwVjFGRU1HWjNjRGhRVlZWU1JGaDJVVE01TkhCdmNXZEhSVzFUYTNKMVRIRlBRMEZWTkhkblowWkxUVUUwUndwQk1WVmtSSGRGUWk5M1VVVkJkMGxJWjBSQlZFSm5UbFpJVTFWRlJFUkJTMEpuWjNKQ1owVkdRbEZqUkVGNlFXUkNaMDVXU0ZFMFJVWm5VVlZ2TTB0dUNtcEtVVm93V0dacFoySkVOV0l3VDFaT1RqQjRjVk52ZDBoM1dVUldVakJxUWtKbmQwWnZRVlV6T1ZCd2VqRlphMFZhWWpWeFRtcHdTMFpYYVhocE5Ga0tXa1E0ZDBwM1dVUldVakJTUVZGSUwwSkNNSGRITkVWYVdrZEdkV0ZYVm5OTWJVcHNaRzFXZFdGWVZucFJSMlIwV1Zkc2MweHRUblppVkVGelFtZHZjZ3BDWjBWRlFWbFBMMDFCUlVKQ1FqVnZaRWhTZDJONmIzWk1NbVJ3WkVkb01WbHBOV3BpTWpCMllrYzVibUZYTkhaaU1rWXhaRWRuZDJkWmMwZERhWE5IQ2tGUlVVSXhibXREUWtGSlJXWlJVamRCU0d0QlpIZEVaRkJVUW5GNGMyTlNUVzFOV2tob2VWcGFlbU5EYjJ0d1pYVk9ORGh5Wml0SWFXNUxRVXg1Ym5VS2FtZEJRVUZaVTNSMVFraDVRVUZCUlVGM1FrbE5SVmxEU1ZGRVRUVlpVMUV2UjB3MlMwazFVamxQWkdOdUwzQlRheXR4VmtRMlluTk1PRE1yUlhBNVVnb3lhRmRVWVhkSmFFRkxNV3BwTVd4YU5UWkVjMloxVEdaWU4ySkNRemx1WWxJelJXeDRZV3hDYUhZeGVsRllUVlUzZEd4M1RVRnZSME5EY1VkVFRUUTVDa0pCVFVSQk1tTkJUVWRSUTAxQ1N6aDBjMmRJWldkMWFDdFphR1ZzTTFCcGFraFJiSGxLTVZFMVN6WTBjREI0Y1VSa2J6ZFhOR1o0Wm05QlV6bDRjbEFLY3pKUVMxRmpaRzlFT1dKWWQyZEpkMWcyZWt4cWVXSmFhMDVJVURWNGRFSndOM1pMTWtaWlpWcDBNRTlYVEZKc1ZXeHNZMVZFVEROVUx6ZEtVV1ozWXdwSFUzRTJkbFpDVG5kS01EQjNPVWhTQ2kwdExTMHRSVTVFSUVORlVsUkpSa2xEUVZSRkxTMHRMUzBLIn19fX0=","integratedTime":1669361833,"logIndex":7810348,"logID":"c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d"}}} "#; let rekor_pub_key = get_rekor_public_key(); - let result = SignedArtifactBundle::new_verified(&bundle_raw, &rekor_pub_key); + let result = SignedArtifactBundle::new_verified(bundle_raw, &rekor_pub_key); assert!(result.is_ok()); let bundle = result.unwrap(); assert_eq!(bundle.rekor_bundle.payload.log_index, 7810348); diff --git a/src/cosign/verification_constraint/certificate_verifier.rs b/src/cosign/verification_constraint/certificate_verifier.rs index 073463d06d..bdfabffe8f 100644 --- a/src/cosign/verification_constraint/certificate_verifier.rs +++ b/src/cosign/verification_constraint/certificate_verifier.rs @@ -83,7 +83,7 @@ impl VerificationConstraint for CertificateVerifier { } match &signature_layer.bundle { Some(bundle) => { - let it = DateTime::::from_utc( + let it = DateTime::::from_naive_utc_and_offset( NaiveDateTime::from_timestamp_opt(bundle.payload.integrated_time, 0).ok_or( SigstoreError::UnexpectedError("timestamp is not legal".into()), )?, diff --git a/src/crypto/certificate.rs b/src/crypto/certificate.rs index 3273261c7d..943df12923 100644 --- a/src/crypto/certificate.rs +++ b/src/crypto/certificate.rs @@ -91,7 +91,7 @@ pub(crate) fn verify_validity(certificate: &Certificate) -> Result<()> { } fn verify_expiration(certificate: &Certificate, integrated_time: i64) -> Result<()> { - let it = DateTime::::from_utc( + let it = DateTime::::from_naive_utc_and_offset( NaiveDateTime::from_timestamp_opt(integrated_time, 0) .ok_or(SigstoreError::X509Error("timestamp is not legal".into()))?, Utc, diff --git a/src/crypto/signing_key/kdf.rs b/src/crypto/signing_key/kdf.rs index deb4372b8d..d90cd53000 100644 --- a/src/crypto/signing_key/kdf.rs +++ b/src/crypto/signing_key/kdf.rs @@ -280,7 +280,7 @@ mod tests { }); let data: Data = serde_json::from_value(input_json.clone()).expect("Cannot deserialize json Data"); - let actual_json = serde_json::to_value(&data).expect("Cannot serialize Data back to JSON"); + let actual_json = serde_json::to_value(data).expect("Cannot serialize Data back to JSON"); assert_json_eq!(input_json, actual_json); } } diff --git a/src/tuf/constants.rs b/src/tuf/constants.rs index 1515f08166..99231be2da 100644 --- a/src/tuf/constants.rs +++ b/src/tuf/constants.rs @@ -18,7 +18,7 @@ use regex::Regex; lazy_static! { pub(crate) static ref SIGSTORE_FULCIO_CERT_TARGET_REGEX: Regex = - Regex::new(r#"fulcio(_v\d+)?\.crt\.pem"#).expect("cannot compile regexp"); + Regex::new(r"fulcio(_v\d+)?\.crt\.pem").expect("cannot compile regexp"); } pub(crate) const SIGSTORE_METADATA_BASE: &str = "https://tuf-repo-cdn.sigstore.dev"; diff --git a/src/tuf/repository_helper.rs b/src/tuf/repository_helper.rs index c542caae91..a581619638 100644 --- a/src/tuf/repository_helper.rs +++ b/src/tuf/repository_helper.rs @@ -271,7 +271,7 @@ mod tests { let mut actual = helper.fulcio_certs().expect("fulcio certs cannot be read"); actual.sort(); let mut expected: Vec = - vec!["fulcio.crt.pem", "fulcio_v1.crt.pem"] + ["fulcio.crt.pem", "fulcio_v1.crt.pem"] .iter() .map(|filename| { let data = fs::read( @@ -322,7 +322,7 @@ mod tests { let mut actual = helper.fulcio_certs().expect("fulcio certs cannot be read"); actual.sort(); let mut expected: Vec = - vec!["fulcio.crt.pem", "fulcio_v1.crt.pem"] + ["fulcio.crt.pem", "fulcio_v1.crt.pem"] .iter() .map(|filename| { let data = fs::read( @@ -379,7 +379,7 @@ mod tests { let mut actual = helper.fulcio_certs().expect("fulcio certs cannot be read"); actual.sort(); let mut expected: Vec = - vec!["fulcio.crt.pem", "fulcio_v1.crt.pem"] + ["fulcio.crt.pem", "fulcio_v1.crt.pem"] .iter() .map(|filename| { let data = fs::read(