Update JWX packages from V2 to V3 and CI workflows with Go v1.23 and golangci-lint v2.2.1

.github/workflows/ci-go-cover.yml

@@ -25,7 +25,7 @@ jobs:
     steps:
     - uses: actions/setup-go@v3
       with:
-        go-version: "1.18"
+        go-version: "1.23"
     - name: Checkout code
       uses: actions/checkout@v2
     - name: Go Coverage

.github/workflows/ci.yml

@@ -11,7 +11,7 @@ jobs:
     steps:
     - uses: actions/setup-go@v3
       with:
-        go-version: "1.18"
+        go-version: "1.23"
     - name: Checkout code
       uses: actions/checkout@v2
     - name: Build package and run tests

.github/workflows/linters.yml

@@ -10,14 +10,12 @@ jobs:
     steps:
     - uses: actions/setup-go@v3
       with:
-        go-version: "1.18"
+        go-version: "1.23"
     - name: Checkout code
       uses: actions/checkout@v2
-    - name: Install golangci-lint 
+    - name: Install golangci-lint
       run: |
         go version
-        curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin v1.47.0
+        curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin v2.2.1
     - name: Run required linters in .golangci.yml plus hard-coded ones here
       run: make -w GOLINT=$(go env GOPATH)/bin/golangci-lint lint
-    - name: Run optional linters (not required to pass)
-      run: make -w GOLINT=$(go env GOPATH)/bin/golangci-lint lint-extra

.golangci.yml

@@ -1,88 +1,85 @@
-# Do not delete linter settings. Linters like gocritic can be enabled on the command line.
-
-linters-settings:
-  dupl:
-    threshold: 100
-  funlen:
-    lines: 100
-    statements: 50
-  goconst:
-    min-len: 2
-    min-occurrences: 3
-  gocritic:
-    enabled-tags:
-      - diagnostic
-      - experimental
-      - opinionated
-      - performance
-      - style
-    disabled-checks:
-      - dupImport # https://github.com/go-critic/go-critic/issues/845
-      - ifElseChain
-      - octalLiteral
-      - paramTypeCombine
-      - whyNoLint
-      - wrapperFunc    
-  gofmt:
-    simplify: false    
-  goimports:
-  golint:
-    min-confidence: 0
-  govet:
-    check-shadowing: true
-  lll:
-    line-length: 140
-  maligned:
-    suggest-new: true
-  misspell:
-    locale: US
-
+version: "2"
 linters:
-  disable-all: true
+  default: none
   enable:
-    - deadcode
     - errcheck
     - goconst
     - gocyclo
-    - gofmt
-    - goimports
-    - golint
     - gosec
     - govet
     - ineffassign
-    - maligned
     - misspell
     - staticcheck
-    - structcheck
-    - typecheck
     - unconvert
     - unused
-    - varcheck
-
-
+  settings:
+    dupl:
+      threshold: 100
+    funlen:
+      lines: 100
+      statements: 50
+    goconst:
+      min-len: 2
+      min-occurrences: 3
+    gocritic:
+      disabled-checks:
+        - dupImport
+        - ifElseChain
+        - octalLiteral
+        - paramTypeCombine
+        - whyNoLint
+        - wrapperFunc
+      enabled-tags:
+        - diagnostic
+        - experimental
+        - opinionated
+        - performance
+        - style
+    lll:
+      line-length: 140
+    misspell:
+      locale: US
+  exclusions:
+    generated: lax
+    presets:
+      - comments
+      - common-false-positives
+      - legacy
+      - std-error-handling
+    rules:
+      - linters:
+          - dupl
+          - goconst
+          - lll
+          - mnd
+        path: _test\.go
+      - linters:
+          - lll
+          - mnd
+        path: doc\.go
+      - linters:
+          - lll
+        path: pretty_test_vectors.go
+    paths:
+      - third_party$
+      - builtin$
+      - examples$
 issues:
   # max-issues-per-linter default is 50.  Set to 0 to disable limit.
   max-issues-per-linter: 0
   # max-same-issues default is 3.  Set to 0 to disable limit.
   max-same-issues: 0
-  # Excluding configuration per-path, per-linter, per-text and per-source
-  exclude-rules:
-    - path: _test\.go
-      linters:
-        - goconst
-        - dupl
-        - gomnd
-        - lll        
-    - path: doc\.go
-      linters:
-        - goimports
-        - gomnd
-        - lll
-    - path: pretty_test_vectors.go
-      linters:
-        - lll
-
-# golangci.com configuration
-# https://github.com/golangci/golangci/wiki/Configuration
-service:
-  golangci-lint-version: 1.23.x # use the fixed version to not introduce new linters unexpectedly
+formatters:
+  enable:
+    - gofmt
+    - goimports
+  settings:
+    gofmt:
+      simplify: false
+  exclusions:
+    generated: lax
+    paths:
+      - third_party$
+      - builtin$
+      - examples$
+      - doc\.go

Makefile

@@ -7,13 +7,10 @@ GOPKG := github.com/veraison/ear
 GOPKG += github.com/veraison/ear/arc/cmd
 
 GOLINT ?= golangci-lint
+GOLINT_ARGS ?= run --timeout=3m -E dupl -E gocritic -E lll -E prealloc
 
-ifeq ($(MAKECMDGOALS),lint)
-GOLINT_ARGS ?= run --timeout=3m -E dupl -E gocritic -E gosimple -E lll -E prealloc
-endif
-
-.PHONY: lint lint-extra
-lint lint-extra: ; $(GOLINT) $(GOLINT_ARGS)
+.PHONY: lint
+lint: ; $(GOLINT) $(GOLINT_ARGS)
 
 ifeq ($(MAKECMDGOALS),test)
 GOTEST_ARGS ?= -v -race $(GOPKG)
@@ -48,6 +45,5 @@ help:
 	@echo "  * test-cover: run unit tests and measure coverage for $(GOPKG)"
 	@echo "  * licenses:   check licenses of dependent packages"
 	@echo "  * lint:       lint sources using default configuration"
-	@echo "  * lint-extra: lint sources using default configuration and some extra checkers"
 	@echo "  * presubmit:  check you are ready to push your local branch to remote"
 	@echo "  * help:       print this menu"

arc/cmd/common.go

@@ -5,14 +5,14 @@ package cmd
 import (
 	"strings"
 
-	"github.com/lestrrat-go/jwx/v2/jwa"
+	"github.com/lestrrat-go/jwx/v3/jwa"
 )
 
 func algList() string {
 	var l []string // nolint: prealloc
 
 	for _, a := range jwa.SignatureAlgorithms() {
-		l = append(l, string(a))
+		l = append(l, a.String())
 	}
 
 	return strings.Join(l, ", ")

arc/cmd/create.go

@@ -6,8 +6,8 @@ import (
 	"errors"
 	"fmt"
 
-	"github.com/lestrrat-go/jwx/v2/jwa"
-	"github.com/lestrrat-go/jwx/v2/jwk"
+	"github.com/lestrrat-go/jwx/v3/jwa"
+	"github.com/lestrrat-go/jwx/v3/jwk"
 	"github.com/spf13/afero"
 	"github.com/spf13/cobra"
 	"github.com/veraison/ear"
@@ -38,6 +38,7 @@ the key in the default key file "skey.json", and save the result to "my-ear.jwt"
 				claimsSet, sKey, arBytes []byte
 				sigK                     jwk.Key
 				ar                       ear.AttestationResult
+				alg                      jwa.KeyAlgorithm
 				err                      error
 			)
 
@@ -64,7 +65,11 @@ the key in the default key file "skey.json", and save the result to "my-ear.jwt"
 				return fmt.Errorf("parsing signing key from %q: %w", createSKey, err)
 			}
 
-			if arBytes, err = ar.Sign(jwa.KeyAlgorithmFrom(createAlg), sigK); err != nil {
+			if alg, err = jwa.KeyAlgorithmFrom(createAlg); err != nil {
+				return fmt.Errorf("parsing algorithm from %q: %w", createAlg, err)
+			}
+
+			if arBytes, err = ar.Sign(alg, sigK); err != nil {
 				return fmt.Errorf("signing EAR: %w", err)
 			}
 

arc/cmd/create_test.go

@@ -66,7 +66,7 @@ func Test_CreateCmd_skey_file_bad_format(t *testing.T) {
 	}
 	cmd.SetArgs(args)
 
-	expectedErr := `parsing signing key from "empty-skey.json": failed to unmarshal JSON into key hint: EOF`
+	expectedErr := `parsing signing key from "empty-skey.json": jwk.Parse: failed to probe data: probe: failed to unmarshal data: EOF`
 
 	err := cmd.Execute()
 	assert.EqualError(t, err, expectedErr)
@@ -89,7 +89,7 @@ func Test_CreateCmd_skey_not_ok_for_signing(t *testing.T) {
 	}
 	cmd.SetArgs(args)
 
-	expectedErr := `failed to generate signature for signer #0 (alg=ES256): failed to sign payload: failed to retrieve ecdsa.PrivateKey out of *jwk.ecdsaPublicKey: failed to produce ecdsa.PrivateKey from *jwk.ecdsaPublicKey: argument to AssignIfCompatible() must be compatible with *ecdsa.PublicKey (was *ecdsa.PrivateKey)`
+	expectedErr := `invalid key type *jwk.ecdsaPublicKey. ecdsa.PrivateKey is required: keyconv: failed to produce ecdsa.PrivateKey from *jwk.ecdsaPublicKey`
 
 	err := cmd.Execute()
 	assert.ErrorContains(t, err, expectedErr)
@@ -154,7 +154,7 @@ func Test_CreateCmd_unknown_signing_alg(t *testing.T) {
 	}
 	cmd.SetArgs(args)
 
-	expectedErr := `expected algorithm to be of type jwa.SignatureAlgorithm but got ("XYZ", jwa.InvalidKeyAlgorithm)`
+	expectedErr := `invalid key value: "XYZ": invalid key algorithm`
 
 	err := cmd.Execute()
 	assert.ErrorContains(t, err, expectedErr)

arc/cmd/verify.go

@@ -6,8 +6,8 @@ import (
 	"errors"
 	"fmt"
 
-	"github.com/lestrrat-go/jwx/v2/jwa"
-	"github.com/lestrrat-go/jwx/v2/jwk"
+	"github.com/lestrrat-go/jwx/v3/jwa"
+	"github.com/lestrrat-go/jwx/v3/jwk"
 	"github.com/spf13/afero"
 	"github.com/spf13/cobra"
 	"github.com/veraison/ear"
@@ -40,6 +40,7 @@ embedded EAR claims-set and present a report of the trustworthiness vector.
 				claimsSet, pKey, arBytes []byte
 				vfyK                     jwk.Key
 				ar                       ear.AttestationResult
+				alg                      jwa.KeyAlgorithm
 				err                      error
 			)
 
@@ -62,7 +63,11 @@ embedded EAR claims-set and present a report of the trustworthiness vector.
 				return fmt.Errorf("parsing verification key from %q: %w", verifyPKey, err)
 			}
 
-			if err = ar.Verify(arBytes, jwa.KeyAlgorithmFrom(verifyAlg), vfyK); err != nil {
+			if alg, err = jwa.KeyAlgorithmFrom(verifyAlg); err != nil {
+				return fmt.Errorf("parsing algorithm from %q: %w", verifyAlg, err)
+			}
+
+			if err = ar.Verify(arBytes, alg, vfyK); err != nil {
 				return fmt.Errorf("verifying signed EAR from %s: %w", verifyInput, err)
 			}
 

arc/cmd/verify_test.go

@@ -64,29 +64,7 @@ func Test_VerifyCmd_pkey_file_bad_format(t *testing.T) {
 	}
 	cmd.SetArgs(args)
 
-	expectedErr := `parsing verification key from "empty-pkey.json": failed to unmarshal JSON into key hint: EOF`
-
-	err := cmd.Execute()
-	assert.EqualError(t, err, expectedErr)
-}
-
-func Test_VerifyCmd_skey_not_ok_for_verifying(t *testing.T) {
-	cmd := NewVerifyCmd()
-
-	files := []fileEntry{
-		{"ear.jwt", testJWT},
-		{"skey.json", testSKey},
-	}
-	makeFS(t, files)
-
-	args := []string{
-		"--pkey=skey.json",
-		"--alg=ES256",
-		"ear.jwt",
-	}
-	cmd.SetArgs(args)
-
-	expectedErr := `verifying signed EAR from ear.jwt: failed verifying JWT message: could not verify message using any of the signatures or keys`
+	expectedErr := `parsing verification key from "empty-pkey.json": jwk.Parse: failed to probe data: probe: failed to unmarshal data: EOF`
 
 	err := cmd.Execute()
 	assert.EqualError(t, err, expectedErr)
@@ -129,7 +107,7 @@ func Test_VerifyCmd_input_file_bad_format(t *testing.T) {
 	}
 	cmd.SetArgs(args)
 
-	expectedErr := `verifying signed EAR from ear.jwt: failed verifying JWT message: failed to parse jws: invalid byte sequence`
+	expectedErr := `verifying signed EAR from ear.jwt: failed verifying JWT message: jwt.Parse: failed to parse token: jwt.verifyFast: failed to split compact: jwsbb: invalid number of segments`
 
 	err := cmd.Execute()
 	assert.EqualError(t, err, expectedErr)
@@ -151,7 +129,7 @@ func Test_VerifyCmd_unknown_verification_alg(t *testing.T) {
 	}
 	cmd.SetArgs(args)
 
-	expectedErr := `verifying signed EAR from ear.jwt: failed verifying JWT message: WithKey() option must be specified using jwa.SignatureAlgorithm (got jwa.InvalidKeyAlgorithm)`
+	expectedErr := `parsing algorithm from "XYZ": invalid key value: "XYZ": invalid key algorithm`
 
 	err := cmd.Execute()
 	assert.EqualError(t, err, expectedErr)