chore: fix clippy warnings

.github/workflows/tests.yml

@@ -78,4 +78,4 @@ jobs:
       - uses: actions-rs/cargo@844f36862e911db73fe0815f00a4a2602c279505 # v1.0.3
         with:
           command: clippy
-          args: --workspace -- -D warnings -A clippy::derive-partial-eq-without-eq
+          args: --workspace -- -D warnings

Cargo.toml

@@ -71,7 +71,7 @@ async-trait = "0.1.52"
 base64 = "0.21.0"
 cached = { version = "0.44.0", optional = true }
 cfg-if = "1.0.0"
-chrono = { version = "0.4.23", default-features = false }
+chrono = { version = "0.4.27", default-features = false }
 const-oid = "0.9.1"
 digest = { version = "0.10.3", default-features = false }
 ecdsa = { version = "0.16.7", features = ["pkcs8", "digest", "der", "signing"] }
@@ -123,7 +123,7 @@ zeroize = "1.5.7"
 [dev-dependencies]
 anyhow = { version = "1.0", features = ["backtrace"] }
 assert-json-diff = "2.0.2"
-chrono = "0.4.20"
+chrono = "0.4.27"
 clap = { version = "4.0.8", features = ["derive"] }
 docker_credential = "1.1.0"
 openssl = "0.10.38"

Makefile

@@ -8,7 +8,7 @@ fmt:
 
 .PHONY: lint
 lint:
-	cargo clippy -- -D warnings
+	cargo clippy --workspace -- -D warnings
 
 .PHONY: doc
 doc:

examples/cosign/verify-blob/main.rs

@@ -58,7 +58,7 @@ pub async fn main() {
 
     let certificate = fs::read_to_string(&cli.certificate).expect("error reading certificate");
     let signature = fs::read_to_string(&cli.signature).expect("error reading signature");
-    let blob = fs::read(&cli.blob.as_str()).expect("error reading blob file");
+    let blob = fs::read(cli.blob.as_str()).expect("error reading blob file");
 
     match Client::verify_blob(&certificate, &signature, &blob) {
         Ok(_) => println!("Verification succeeded"),

examples/cosign/verify-bundle/main.rs

@@ -59,7 +59,7 @@ pub async fn main() {
         CosignVerificationKey::from_pem(rekor_pub_pem.as_bytes(), &SigningScheme::default())
             .expect("Cannot create Rekor verification key");
     let bundle_json = fs::read_to_string(&cli.bundle).expect("error reading bundle json file");
-    let blob = fs::read(&cli.blob.as_str()).expect("error reading blob file");
+    let blob = fs::read(cli.blob.as_str()).expect("error reading blob file");
 
     let bundle = SignedArtifactBundle::new_verified(&bundle_json, &rekor_pub_key).unwrap();
     match Client::verify_blob(&bundle.cert, &bundle.base64_signature, &blob) {

examples/cosign/verify/main.rs

@@ -140,7 +140,7 @@ async fn run_app(
 
     let cert_chain: Option<Vec<sigstore::registry::Certificate>> = match cli.cert_chain.as_ref() {
         None => None,
-        Some(cert_chain_path) => Some(parse_cert_bundle(&cert_chain_path)?),
+        Some(cert_chain_path) => Some(parse_cert_bundle(cert_chain_path)?),
     };
 
     if !frd.fulcio_certs.is_empty() {
@@ -201,12 +201,9 @@ async fn run_app(
             false
         };
 
-        let verifier = CertificateVerifier::from_pem(
-            &cert,
-            require_rekor_bundle,
-            cert_chain.as_ref().map(|v| v.as_slice()),
-        )
-        .map_err(|e| anyhow!("Cannot create certificate verifier: {}", e))?;
+        let verifier =
+            CertificateVerifier::from_pem(&cert, require_rekor_bundle, cert_chain.as_deref())
+                .map_err(|e| anyhow!("Cannot create certificate verifier: {}", e))?;
 
         verification_constraints.push(Box::new(verifier));
     }
@@ -343,7 +340,7 @@ pub async fn main() {
 fn parse_cert_bundle(bundle_path: &str) -> Result<Vec<sigstore::registry::Certificate>> {
     let data =
         fs::read(bundle_path).map_err(|e| anyhow!("Error reading {}: {}", bundle_path, e))?;
-    let pems = pem::parse_many(&data)?;
+    let pems = pem::parse_many(data)?;
 
     Ok(pems
         .iter()

src/cosign/bundle.rs

@@ -160,7 +160,7 @@ OSWS1X9vPavpiQOoTTGC0xX57OojUadxF1cdQmrsiReWg2Wn4FneJfa8xw==
 {"base64Signature":"MEQCIGp1XZP5zaImosrBhDPCdXn3f8xI9FHGLsGVx6UeRPCgAiAt5GrsdQhOKnZcA3EWecvgJSHzCIjWifFBQkD7Hdsymg==","cert":"LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNxRENDQWkrZ0F3SUJBZ0lVVFBXVGZPLzFOUmFTRmRlY2FBUS9wQkRHSnA4d0NnWUlLb1pJemowRUF3TXcKTnpFVk1CTUdBMVVFQ2hNTWMybG5jM1J2Y21VdVpHVjJNUjR3SEFZRFZRUURFeFZ6YVdkemRHOXlaUzFwYm5SbApjbTFsWkdsaGRHVXdIaGNOTWpJeE1USTFNRGN6TnpFeVdoY05Nakl4TVRJMU1EYzBOekV5V2pBQU1Ga3dFd1lICktvWkl6ajBDQVFZSUtvWkl6ajBEQVFjRFFnQUVKUVE0Vy81WFA5bTRZYldSQlF0SEdXd245dVVoYWUzOFVwY0oKcEVNM0RPczR6VzRNSXJNZlc0V1FEMGZ3cDhQVVVSRFh2UTM5NHBvcWdHRW1Ta3J1THFPQ0FVNHdnZ0ZLTUE0RwpBMVVkRHdFQi93UUVBd0lIZ0RBVEJnTlZIU1VFRERBS0JnZ3JCZ0VGQlFjREF6QWRCZ05WSFE0RUZnUVVvM0tuCmpKUVowWGZpZ2JENWIwT1ZOTjB4cVNvd0h3WURWUjBqQkJnd0ZvQVUzOVBwejFZa0VaYjVxTmpwS0ZXaXhpNFkKWkQ4d0p3WURWUjBSQVFIL0JCMHdHNEVaWkdGdWFXVnNMbUpsZG1WdWFYVnpRR2R0WVdsc0xtTnZiVEFzQmdvcgpCZ0VFQVlPL01BRUJCQjVvZEhSd2N6b3ZMMmRwZEdoMVlpNWpiMjB2Ykc5bmFXNHZiMkYxZEdnd2dZc0dDaXNHCkFRUUIxbmtDQkFJRWZRUjdBSGtBZHdEZFBUQnF4c2NSTW1NWkhoeVpaemNDb2twZXVONDhyZitIaW5LQUx5bnUKamdBQUFZU3R1Qkh5QUFBRUF3QklNRVlDSVFETTVZU1EvR0w2S0k1UjlPZGNuL3BTaytxVkQ2YnNMODMrRXA5UgoyaFdUYXdJaEFLMWppMWxaNTZEc2Z1TGZYN2JCQzluYlIzRWx4YWxCaHYxelFYTVU3dGx3TUFvR0NDcUdTTTQ5CkJBTURBMmNBTUdRQ01CSzh0c2dIZWd1aCtZaGVsM1BpakhRbHlKMVE1SzY0cDB4cURkbzdXNGZ4Zm9BUzl4clAKczJQS1FjZG9EOWJYd2dJd1g2ekxqeWJaa05IUDV4dEJwN3ZLMkZZZVp0ME9XTFJsVWxsY1VETDNULzdKUWZ3YwpHU3E2dlZCTndKMDB3OUhSCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K","rekorBundle":{"SignedEntryTimestamp":"MEUCIC3c+21v9pk6o4BpB/dRAM9lGnyWLi3Xnc+i8LmnNJmeAiEAiqZJbZHx3Idnw+zXv6yM0ipPw/p16R28YGuCJFQ1u8U=","Payload":{"body":"eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiI0YmM0NTNiNTNjYjNkOTE0YjQ1ZjRiMjUwMjk0MjM2YWRiYTJjMGUwOWZmNmYwMzc5Mzk0OWU3ZTM5ZmQ0Y2MxIn19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FUUNJR3AxWFpQNXphSW1vc3JCaERQQ2RYbjNmOHhJOUZIR0xzR1Z4NlVlUlBDZ0FpQXQ1R3JzZFFoT0tuWmNBM0VXZWN2Z0pTSHpDSWpXaWZGQlFrRDdIZHN5bWc9PSIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCRFJWSlVTVVpKUTBGVVJTMHRMUzB0Q2sxSlNVTnhSRU5EUVdrclowRjNTVUpCWjBsVlZGQlhWR1pQTHpGT1VtRlRSbVJsWTJGQlVTOXdRa1JIU25BNGQwTm5XVWxMYjFwSmVtb3dSVUYzVFhjS1RucEZWazFDVFVkQk1WVkZRMmhOVFdNeWJHNWpNMUoyWTIxVmRWcEhWakpOVWpSM1NFRlpSRlpSVVVSRmVGWjZZVmRrZW1SSE9YbGFVekZ3WW01U2JBcGpiVEZzV2tkc2FHUkhWWGRJYUdOT1RXcEplRTFVU1RGTlJHTjZUbnBGZVZkb1kwNU5ha2w0VFZSSk1VMUVZekJPZWtWNVYycEJRVTFHYTNkRmQxbElDa3R2V2tsNmFqQkRRVkZaU1V0dldrbDZhakJFUVZGalJGRm5RVVZLVVZFMFZ5ODFXRkE1YlRSWllsZFNRbEYwU0VkWGQyNDVkVlZvWVdVek9GVndZMG9LY0VWTk0wUlBjelI2VnpSTlNYSk5abGMwVjFGRU1HWjNjRGhRVlZWU1JGaDJVVE01TkhCdmNXZEhSVzFUYTNKMVRIRlBRMEZWTkhkblowWkxUVUUwUndwQk1WVmtSSGRGUWk5M1VVVkJkMGxJWjBSQlZFSm5UbFpJVTFWRlJFUkJTMEpuWjNKQ1owVkdRbEZqUkVGNlFXUkNaMDVXU0ZFMFJVWm5VVlZ2TTB0dUNtcEtVVm93V0dacFoySkVOV0l3VDFaT1RqQjRjVk52ZDBoM1dVUldVakJxUWtKbmQwWnZRVlV6T1ZCd2VqRlphMFZhWWpWeFRtcHdTMFpYYVhocE5Ga0tXa1E0ZDBwM1dVUldVakJTUVZGSUwwSkNNSGRITkVWYVdrZEdkV0ZYVm5OTWJVcHNaRzFXZFdGWVZucFJSMlIwV1Zkc2MweHRUblppVkVGelFtZHZjZ3BDWjBWRlFWbFBMMDFCUlVKQ1FqVnZaRWhTZDJONmIzWk1NbVJ3WkVkb01WbHBOV3BpTWpCMllrYzVibUZYTkhaaU1rWXhaRWRuZDJkWmMwZERhWE5IQ2tGUlVVSXhibXREUWtGSlJXWlJVamRCU0d0QlpIZEVaRkJVUW5GNGMyTlNUVzFOV2tob2VWcGFlbU5EYjJ0d1pYVk9ORGh5Wml0SWFXNUxRVXg1Ym5VS2FtZEJRVUZaVTNSMVFraDVRVUZCUlVGM1FrbE5SVmxEU1ZGRVRUVlpVMUV2UjB3MlMwazFVamxQWkdOdUwzQlRheXR4VmtRMlluTk1PRE1yUlhBNVVnb3lhRmRVWVhkSmFFRkxNV3BwTVd4YU5UWkVjMloxVEdaWU4ySkNRemx1WWxJelJXeDRZV3hDYUhZeGVsRllUVlUzZEd4M1RVRnZSME5EY1VkVFRUUTVDa0pCVFVSQk1tTkJUVWRSUTAxQ1N6aDBjMmRJWldkMWFDdFphR1ZzTTFCcGFraFJiSGxLTVZFMVN6WTBjREI0Y1VSa2J6ZFhOR1o0Wm05QlV6bDRjbEFLY3pKUVMxRmpaRzlFT1dKWWQyZEpkMWcyZWt4cWVXSmFhMDVJVURWNGRFSndOM1pMTWtaWlpWcDBNRTlYVEZKc1ZXeHNZMVZFVEROVUx6ZEtVV1ozWXdwSFUzRTJkbFpDVG5kS01EQjNPVWhTQ2kwdExTMHRSVTVFSUVORlVsUkpSa2xEUVZSRkxTMHRMUzBLIn19fX0=","integratedTime":1669361833,"logIndex":7810348,"logID":"c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d"}}}
         "#;
         let rekor_pub_key = get_rekor_public_key();
-        let result = SignedArtifactBundle::new_verified(&bundle_raw, &rekor_pub_key);
+        let result = SignedArtifactBundle::new_verified(bundle_raw, &rekor_pub_key);
         assert!(result.is_ok());
         let bundle = result.unwrap();
         assert_eq!(bundle.rekor_bundle.payload.log_index, 7810348);

src/cosign/verification_constraint/certificate_verifier.rs

@@ -83,7 +83,7 @@ impl VerificationConstraint for CertificateVerifier {
         }
         match &signature_layer.bundle {
             Some(bundle) => {
-                let it = DateTime::<Utc>::from_utc(
+                let it = DateTime::<Utc>::from_naive_utc_and_offset(
                     NaiveDateTime::from_timestamp_opt(bundle.payload.integrated_time, 0).ok_or(
                         SigstoreError::UnexpectedError("timestamp is not legal".into()),
                     )?,

src/crypto/certificate.rs

@@ -91,7 +91,7 @@ pub(crate) fn verify_validity(certificate: &Certificate) -> Result<()> {
 }
 
 fn verify_expiration(certificate: &Certificate, integrated_time: i64) -> Result<()> {
-    let it = DateTime::<Utc>::from_utc(
+    let it = DateTime::<Utc>::from_naive_utc_and_offset(
         NaiveDateTime::from_timestamp_opt(integrated_time, 0)
             .ok_or(SigstoreError::X509Error("timestamp is not legal".into()))?,
         Utc,

src/crypto/signing_key/kdf.rs

@@ -280,7 +280,7 @@ mod tests {
         });
         let data: Data =
             serde_json::from_value(input_json.clone()).expect("Cannot deserialize json Data");
-        let actual_json = serde_json::to_value(&data).expect("Cannot serialize Data back to JSON");
+        let actual_json = serde_json::to_value(data).expect("Cannot serialize Data back to JSON");
         assert_json_eq!(input_json, actual_json);
     }
 }

src/tuf/constants.rs

@@ -18,7 +18,7 @@ use regex::Regex;
 
 lazy_static! {
     pub(crate) static ref SIGSTORE_FULCIO_CERT_TARGET_REGEX: Regex =
-        Regex::new(r#"fulcio(_v\d+)?\.crt\.pem"#).expect("cannot compile regexp");
+        Regex::new(r"fulcio(_v\d+)?\.crt\.pem").expect("cannot compile regexp");
 }
 
 pub(crate) const SIGSTORE_METADATA_BASE: &str = "https://tuf-repo-cdn.sigstore.dev";

src/tuf/repository_helper.rs

@@ -271,7 +271,7 @@ mod tests {
         let mut actual = helper.fulcio_certs().expect("fulcio certs cannot be read");
         actual.sort();
         let mut expected: Vec<crate::registry::Certificate> =
-            vec!["fulcio.crt.pem", "fulcio_v1.crt.pem"]
+            ["fulcio.crt.pem", "fulcio_v1.crt.pem"]
                 .iter()
                 .map(|filename| {
                     let data = fs::read(
@@ -322,7 +322,7 @@ mod tests {
         let mut actual = helper.fulcio_certs().expect("fulcio certs cannot be read");
         actual.sort();
         let mut expected: Vec<crate::registry::Certificate> =
-            vec!["fulcio.crt.pem", "fulcio_v1.crt.pem"]
+            ["fulcio.crt.pem", "fulcio_v1.crt.pem"]
                 .iter()
                 .map(|filename| {
                     let data = fs::read(
@@ -379,7 +379,7 @@ mod tests {
         let mut actual = helper.fulcio_certs().expect("fulcio certs cannot be read");
         actual.sort();
         let mut expected: Vec<crate::registry::Certificate> =
-            vec!["fulcio.crt.pem", "fulcio_v1.crt.pem"]
+            ["fulcio.crt.pem", "fulcio_v1.crt.pem"]
                 .iter()
                 .map(|filename| {
                     let data = fs::read(