Merge pull request #178 from edytuk/v2.11.1

Merge sylabs/sif through v2.11.1
apptainer · Mar 20, 2023 · dac6e95 · dac6e95
2 parents 5e91f3b + 724f1e6
commit dac6e95
Show file tree

Hide file tree

Showing 14 changed files with 97 additions and 68 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -41,7 +41,7 @@ jobs:
       - name: Install Lint
         uses: golangci/golangci-lint-action@v2
         with:
-          version: v1.51
+          version: v1.52
           skip-pkg-cache: true
           skip-build-cache: true
 

diff --git a/.golangci.yml b/.golangci.yml
@@ -50,9 +50,13 @@ linters:
     - typecheck
     - unconvert
     - unparam
-    # - unused
+    - unused
     - whitespace
 
 linters-settings:
+  errorlint:
+    # Go 1.19 compatibility (https://github.com/sylabs/sif/issues/265).
+    errorf-multi: false
+
   misspell:
     locale: US
diff --git a/pkg/integrity/clearsign.go b/pkg/integrity/clearsign.go
@@ -42,7 +42,7 @@ func newClearsignEncoder(e *openpgp.Entity, timeFunc func() time.Time) *clearsig
 
 // signMessage signs the message from r in clear-sign format, and writes the result to w. On
 // success, the hash function is returned.
-func (en *clearsignEncoder) signMessage(ctx context.Context, w io.Writer, r io.Reader) (crypto.Hash, error) {
+func (en *clearsignEncoder) signMessage(_ context.Context, w io.Writer, r io.Reader) (crypto.Hash, error) {
 	plaintext, err := clearsign.Encode(w, en.e.PrivateKey, en.config)
 	if err != nil {
 		return 0, err
@@ -67,7 +67,7 @@ func newClearsignDecoder(kr openpgp.KeyRing) *clearsignDecoder {
 
 // verifyMessage reads a message from r, verifies its signature, and returns the message contents.
 // On success, the signing entity is set in vr.
-func (de *clearsignDecoder) verifyMessage(ctx context.Context, r io.Reader, h crypto.Hash, vr *VerifyResult) ([]byte, error) { //nolint:lll
+func (de *clearsignDecoder) verifyMessage(_ context.Context, r io.Reader, _ crypto.Hash, vr *VerifyResult) ([]byte, error) { //nolint:lll
 	data, err := io.ReadAll(r)
 	if err != nil {
 		return nil, err

diff --git a/pkg/integrity/digest.go b/pkg/integrity/digest.go
@@ -2,7 +2,7 @@
 //   Apptainer a Series of LF Projects LLC.
 //   For website terms of use, trademark policy, privacy policy and other
 //   project policies see https://lfprojects.org/policies
-// Copyright (c) 2020-2022, Sylabs Inc. All rights reserved.
+// Copyright (c) 2020-2023, Sylabs Inc. All rights reserved.
 // This software is licensed under a 3-clause BSD license. Please consult the LICENSE.md file
 // distributed with the sources of this project regarding your rights to use or distribute this
 // software.
@@ -121,7 +121,6 @@ func (d digest) MarshalJSON() ([]byte, error) {
 func (d *digest) UnmarshalJSON(data []byte) error {
 	var s string
 	if err := json.Unmarshal(data, &s); err != nil {
-		//nolint:errorlint // Go 1.19 compatibility
 		return fmt.Errorf("%w: %v", errDigestMalformed, err)
 	}
 
@@ -134,7 +133,6 @@ func (d *digest) UnmarshalJSON(data []byte) error {
 
 	v, err := hex.DecodeString(value)
 	if err != nil {
-		//nolint:errorlint // Go 1.19 compatibility
 		return fmt.Errorf("%w: %v", errDigestMalformed, err)
 	}
 

diff --git a/pkg/integrity/dsse.go b/pkg/integrity/dsse.go
@@ -129,7 +129,6 @@ func (de *dsseDecoder) verifyMessage(ctx context.Context, r io.Reader, h crypto.
 
 	vr.aks, err = v.Verify(ctx, &e)
 	if err != nil {
-		//nolint:errorlint // Go 1.19 compatibility
 		return nil, fmt.Errorf("%w: %v", errDSSEVerifyEnvelopeFailed, err)
 	}
 
@@ -172,7 +171,7 @@ func (s *dsseSigner) Sign(ctx context.Context, data []byte) ([]byte, error) {
 var errSignNotImplemented = errors.New("sign not implemented")
 
 // Verify is not implemented, but required for the dsse.SignVerifier interface.
-func (s *dsseSigner) Verify(ctx context.Context, data, sig []byte) error {
+func (s *dsseSigner) Verify(_ context.Context, _, _ []byte) error {
 	return errSignNotImplemented
 }
 

diff --git a/pkg/integrity/sign.go b/pkg/integrity/sign.go
@@ -314,16 +314,19 @@ type Signer struct {
 // By default, one digital signature is added per object group in f. To override this behavior,
 // consider using OptSignGroup and/or OptSignObjects.
 //
-// By default, signature, header and descriptor timestamps are set to the current time. To override
-// this behavior, consider using OptSignWithTime or OptSignDeterministic.
+// By default, signature timestamps are set to the current time. To override this behavior,
+// consider using OptSignWithTime.
+//
+// By default, header and descriptor timestamps are set to the current time for non-deterministic
+// images, and unset otherwise. To override this behavior, consider using OptSignWithTime or
+// OptSignDeterministic.
 func NewSigner(f *sif.FileImage, opts ...SignerOpt) (*Signer, error) {
 	if f == nil {
 		return nil, fmt.Errorf("integrity: %w", errNilFileImage)
 	}
 
 	so := signOpts{
-		timeFunc: time.Now,
-		ctx:      context.Background(),
+		ctx: context.Background(),
 	}
 
 	// Apply options.
@@ -350,7 +353,11 @@ func NewSigner(f *sif.FileImage, opts ...SignerOpt) (*Signer, error) {
 			return nil, fmt.Errorf("integrity: %w", err)
 		}
 	case so.e != nil:
-		en = newClearsignEncoder(so.e, so.timeFunc)
+		timeFunc := time.Now
+		if so.timeFunc != nil {
+			timeFunc = so.timeFunc
+		}
+		en = newClearsignEncoder(so.e, timeFunc)
 		commonOpts = append(commonOpts, optSignGroupFingerprint(so.e.PrimaryKey.Fingerprint))
 	default:
 		return nil, fmt.Errorf("integrity: %w", ErrNoKeyMaterial)
@@ -414,7 +421,7 @@ func (s *Signer) Sign() error {
 		var opts []sif.AddOpt
 		if s.opts.deterministic {
 			opts = append(opts, sif.OptAddDeterministic())
-		} else {
+		} else if s.opts.timeFunc != nil {
 			opts = append(opts, sif.OptAddWithTime(s.opts.timeFunc()))
 		}
 

diff --git a/pkg/integrity/verify_test.go b/pkg/integrity/verify_test.go
@@ -722,7 +722,7 @@ func (v mockVerifier) signatures() ([]sif.Descriptor, error) {
 	return v.sigs, v.sigsErr
 }
 
-func (v mockVerifier) verifySignature(ctx context.Context, sig sif.Descriptor, de decoder, vr *VerifyResult) error {
+func (v mockVerifier) verifySignature(_ context.Context, _ sif.Descriptor, _ decoder, vr *VerifyResult) error {
 	vr.verified = v.verified
 	vr.e = v.e
 	return v.verifyErr

diff --git a/pkg/sif/create.go b/pkg/sif/create.go
@@ -255,7 +255,7 @@ func createContainer(rw ReadWriter, co createOpts) (*FileImage, error) {
 // By default, the image ID is set to a randomly generated value. To override this, consider using
 // OptCreateDeterministic or OptCreateWithID.
 //
-// By default, the image creation time is set to time.Now(). To override this, consider using
+// By default, the image creation time is set to the current time. To override this, consider using
 // OptCreateDeterministic or OptCreateWithTime.
 //
 // By default, the image will support a maximum of 48 descriptors. To change this, consider using
@@ -300,7 +300,7 @@ func CreateContainer(rw ReadWriter, opts ...CreateOpt) (*FileImage, error) {
 // By default, the image ID is set to a randomly generated value. To override this, consider using
 // OptCreateDeterministic or OptCreateWithID.
 //
-// By default, the image creation time is set to time.Now(). To override this, consider using
+// By default, the image creation time is set to the current time. To override this, consider using
 // OptCreateDeterministic or OptCreateWithTime.
 //
 // By default, the image will support a maximum of 48 descriptors. To change this, consider using
@@ -397,11 +397,13 @@ func OptAddWithTime(t time.Time) AddOpt {
 
 // AddObject adds a new data object and its descriptor into the specified SIF file.
 //
-// By default, the image modification time is set to the current time. To override this, consider
-// using OptAddDeterministic or OptAddWithTime.
+// By default, the image modification time is set to the current time for non-deterministic images,
+// and unset otherwise. To override this, consider using OptAddDeterministic or OptAddWithTime.
 func (f *FileImage) AddObject(di DescriptorInput, opts ...AddOpt) error {
-	ao := addOpts{
-		t: time.Now(),
+	ao := addOpts{}
+
+	if !f.isDeterministic() {
+		ao.t = time.Now()
 	}
 
 	for _, opt := range opts {
@@ -453,11 +455,7 @@ func (f *FileImage) isLast(d *rawDescriptor) bool {
 func (f *FileImage) truncateAt(d *rawDescriptor) error {
 	start := d.Offset + d.Size - d.SizeWithPadding
 
-	if err := f.rw.Truncate(start); err != nil {
-		return err
-	}
-
-	return nil
+	return f.rw.Truncate(start)
 }
 
 // deleteOpts accumulates object deletion options.
@@ -510,11 +508,14 @@ var errCompactNotImplemented = errors.New("compact not implemented for non-last
 // To zero the data region of the deleted object, use OptDeleteZero. To compact the file following
 // object deletion, use OptDeleteCompact.
 //
-// By default, the image modification time is set to time.Now(). To override this, consider using
-// OptDeleteDeterministic or OptDeleteWithTime.
+// By default, the image modification time is set to the current time for non-deterministic images,
+// and unset otherwise. To override this, consider using OptDeleteDeterministic or
+// OptDeleteWithTime.
 func (f *FileImage) DeleteObject(id uint32, opts ...DeleteOpt) error {
-	do := deleteOpts{
-		t: time.Now(),
+	do := deleteOpts{}
+
+	if !f.isDeterministic() {
+		do.t = time.Now()
 	}
 
 	for _, opt := range opts {
@@ -600,11 +601,14 @@ var (
 
 // SetPrimPart sets the specified system partition to be the primary one.
 //
-// By default, the image/object modification times are set to time.Now(). To override this,
-// consider using OptSetDeterministic or OptSetWithTime.
+// By default, the image/object modification times are set to the current time for
+// non-deterministic images, and unset otherwise. To override this, consider using
+// OptSetDeterministic or OptSetWithTime.
 func (f *FileImage) SetPrimPart(id uint32, opts ...SetOpt) error {
-	so := setOpts{
-		t: time.Now(),
+	so := setOpts{}
+
+	if !f.isDeterministic() {
+		so.t = time.Now()
 	}
 
 	for _, opt := range opts {

diff --git a/pkg/sif/create_test.go b/pkg/sif/create_test.go
@@ -323,6 +323,17 @@ func TestAddObject(t *testing.T) {
 			),
 			wantErr: errPrimaryPartition,
 		},
+		{
+			name: "Deterministic",
+			createOpts: []CreateOpt{
+				OptCreateWithID("de170c43-36ab-44a8-bca9-1ea1a070a274"),
+				OptCreateWithTime(time.Unix(946702800, 0)),
+			},
+			di: getDescriptorInput(t, DataGeneric, []byte{0xfa, 0xce}),
+			opts: []AddOpt{
+				OptAddDeterministic(),
+			},
+		},
 		{
 			name: "WithTime",
 			createOpts: []CreateOpt{
@@ -339,9 +350,6 @@ func TestAddObject(t *testing.T) {
 				OptCreateDeterministic(),
 			},
 			di: getDescriptorInput(t, DataGeneric, []byte{0xfa, 0xce}),
-			opts: []AddOpt{
-				OptAddDeterministic(),
-			},
 		},
 		{
 			name: "EmptyNotAligned",
@@ -351,9 +359,6 @@ func TestAddObject(t *testing.T) {
 			di: getDescriptorInput(t, DataGeneric, []byte{0xfa, 0xce},
 				OptObjectAlignment(0),
 			),
-			opts: []AddOpt{
-				OptAddDeterministic(),
-			},
 		},
 		{
 			name: "EmptyAligned",
@@ -363,9 +368,6 @@ func TestAddObject(t *testing.T) {
 			di: getDescriptorInput(t, DataGeneric, []byte{0xfa, 0xce},
 				OptObjectAlignment(128),
 			),
-			opts: []AddOpt{
-				OptAddDeterministic(),
-			},
 		},
 		{
 			name: "NotEmpty",
@@ -378,9 +380,6 @@ func TestAddObject(t *testing.T) {
 			di: getDescriptorInput(t, DataPartition, []byte{0xfe, 0xed},
 				OptPartitionMetadata(FsSquash, PartPrimSys, "386"),
 			),
-			opts: []AddOpt{
-				OptAddDeterministic(),
-			},
 		},
 		{
 			name: "NotEmptyNotAligned",
@@ -394,9 +393,6 @@ func TestAddObject(t *testing.T) {
 				OptPartitionMetadata(FsSquash, PartPrimSys, "386"),
 				OptObjectAlignment(0),
 			),
-			opts: []AddOpt{
-				OptAddDeterministic(),
-			},
 		},
 		{
 			name: "NotEmptyAligned",
@@ -410,9 +406,6 @@ func TestAddObject(t *testing.T) {
 				OptPartitionMetadata(FsSquash, PartPrimSys, "386"),
 				OptObjectAlignment(128),
 			),
-			opts: []AddOpt{
-				OptAddDeterministic(),
-			},
 		},
 	}
 
@@ -465,7 +458,6 @@ func TestDeleteObject(t *testing.T) {
 			},
 			id: 1,
 			opts: []DeleteOpt{
-				OptDeleteDeterministic(),
 				OptDeleteZero(true),
 			},
 		},
@@ -479,7 +471,6 @@ func TestDeleteObject(t *testing.T) {
 			},
 			id: 1,
 			opts: []DeleteOpt{
-				OptDeleteDeterministic(),
 				OptDeleteCompact(true),
 			},
 		},
@@ -493,11 +484,24 @@ func TestDeleteObject(t *testing.T) {
 			},
 			id: 1,
 			opts: []DeleteOpt{
-				OptDeleteDeterministic(),
 				OptDeleteZero(true),
 				OptDeleteCompact(true),
 			},
 		},
+		{
+			name: "Deterministic",
+			createOpts: []CreateOpt{
+				OptCreateWithID("de170c43-36ab-44a8-bca9-1ea1a070a274"),
+				OptCreateWithDescriptors(
+					getDescriptorInput(t, DataGeneric, []byte{0xfa, 0xce}),
+				),
+				OptCreateWithTime(time.Unix(946702800, 0)),
+			},
+			id: 1,
+			opts: []DeleteOpt{
+				OptDeleteDeterministic(),
+			},
+		},
 		{
 			name: "WithTime",
 			createOpts: []CreateOpt{
@@ -522,9 +526,6 @@ func TestDeleteObject(t *testing.T) {
 				),
 			},
 			id: 1,
-			opts: []DeleteOpt{
-				OptDeleteDeterministic(),
-			},
 		},
 	}
 
@@ -567,6 +568,22 @@ func TestSetPrimPart(t *testing.T) {
 			id:      1,
 			wantErr: ErrObjectNotFound,
 		},
+		{
+			name: "Deterministic",
+			createOpts: []CreateOpt{
+				OptCreateWithID("de170c43-36ab-44a8-bca9-1ea1a070a274"),
+				OptCreateWithDescriptors(
+					getDescriptorInput(t, DataPartition, []byte{0xfa, 0xce},
+						OptPartitionMetadata(FsRaw, PartSystem, "386"),
+					),
+				),
+				OptCreateWithTime(time.Unix(946702800, 0)),
+			},
+			id: 1,
+			opts: []SetOpt{
+				OptSetDeterministic(),
+			},
+		},
 		{
 			name: "WithTime",
 			createOpts: []CreateOpt{
@@ -596,9 +613,6 @@ func TestSetPrimPart(t *testing.T) {
 				),
 			},
 			id: 1,
-			opts: []SetOpt{
-				OptSetDeterministic(),
-			},
 		},
 		{
 			name: "Two",
@@ -614,9 +628,6 @@ func TestSetPrimPart(t *testing.T) {
 				),
 			},
 			id: 2,
-			opts: []SetOpt{
-				OptSetDeterministic(),
-			},
 		},
 	}