Merge pull request #96 from safing/feature/checksums

Add support for embedded text, json and yaml checksums

.github/workflows/go.yml

@@ -15,23 +15,24 @@ jobs:
     name: Linter
     runs-on: ubuntu-latest
     steps:
-    - name: Check out code into the Go module directory
+    - name: Check out code
       uses: actions/checkout@v3
 
-    - uses: actions/setup-go@v3
+    - name: Setup Go
+      uses: actions/setup-go@v4
       with:
         go-version: '^1.19'
 
+    - name: Get dependencies
+      run: go mod download
+
     - name: Run golangci-lint
       uses: golangci/golangci-lint-action@v3
       with:
-        version: v1.49.0
+        version: v1.52.2
         only-new-issues: true
         args: -c ./.golangci.yml --timeout 15m
 
-    - name: Get dependencies
-      run: go mod download
-
     - name: Run go vet
       run: go vet ./...
 
@@ -43,7 +44,7 @@ jobs:
       uses: actions/checkout@v3
 
     - name: Setup Go
-      uses: actions/setup-go@v3
+      uses: actions/setup-go@v4
       with:
         go-version: '^1.19'
 

.golangci.yml

@@ -7,6 +7,7 @@ linters:
     - containedctx
     - contextcheck
     - cyclop
+    - depguard
     - exhaustivestruct
     - exhaustruct
     - forbidigo
@@ -22,6 +23,7 @@ linters:
     - interfacer
     - ireturn
     - lll
+    - musttag
     - nestif
     - nilnil
     - nlreturn

cmd/cmd-checksum.go

@@ -0,0 +1,111 @@
+package main
+
+import (
+	"errors"
+	"fmt"
+	"os"
+	"path/filepath"
+
+	"github.com/spf13/cobra"
+
+	"github.com/safing/jess/filesig"
+)
+
+func init() {
+	rootCmd.AddCommand(checksum)
+	checksum.AddCommand(checksumAdd)
+	checksum.AddCommand(checksumVerify)
+}
+
+var (
+	checksum = &cobra.Command{
+		Use:   "checksum",
+		Short: "add or verify embedded checksums",
+	}
+
+	checksumAddUsage = "usage: checksum add <file>"
+	checksumAdd      = &cobra.Command{
+		Use:   "add <file>",
+		Short: "add an embedded checksum to a file",
+		Long:  "add an embedded checksum to a file (support file types: txt, json, yaml)",
+		RunE:  handleChecksumAdd,
+	}
+
+	checksumVerifyUsage = "usage: checksum verify <file>"
+	checksumVerify      = &cobra.Command{
+		Use:   "verify <file>",
+		Short: "verify the embedded checksum of a file",
+		Long:  "verify the embedded checksum of a file (support file types: txt, json, yaml)",
+		RunE:  handleChecksumVerify,
+	}
+)
+
+func handleChecksumAdd(cmd *cobra.Command, args []string) error {
+	// Check args.
+	if len(args) != 1 {
+		return errors.New(checksumAddUsage)
+	}
+	filename := args[0]
+
+	data, err := os.ReadFile(filename)
+	if err != nil {
+		return fmt.Errorf("failed to read file: %w", err)
+	}
+
+	switch filepath.Ext(filename) {
+	case ".json":
+		data, err = filesig.AddJSONChecksum(data)
+	case ".yml", ".yaml":
+		data, err = filesig.AddYAMLChecksum(data, filesig.TextPlacementAfterComment)
+	case ".txt":
+		data, err = filesig.AddTextFileChecksum(data, "#", filesig.TextPlacementAfterComment)
+	default:
+		return errors.New("unsupported file format")
+	}
+	if err != nil {
+		return err
+	}
+
+	// Write back to disk.
+	fileInfo, err := os.Stat(filename)
+	if err != nil {
+		return fmt.Errorf("failed to stat file: %w", err)
+	}
+	err = os.WriteFile(filename, data, fileInfo.Mode().Perm())
+	if err != nil {
+		return fmt.Errorf("failed to write back file with checksum: %w", err)
+	}
+
+	fmt.Println("checksum added")
+	return nil
+}
+
+func handleChecksumVerify(cmd *cobra.Command, args []string) error {
+	// Check args.
+	if len(args) != 1 {
+		return errors.New(checksumVerifyUsage)
+	}
+	filename := args[0]
+
+	data, err := os.ReadFile(filename)
+	if err != nil {
+		return fmt.Errorf("failed to read file: %w", err)
+	}
+
+	switch filepath.Ext(filename) {
+	case ".json":
+		err = filesig.VerifyJSONChecksum(data)
+	case ".yml", ".yaml":
+		err = filesig.VerifyYAMLChecksum(data)
+	case ".txt":
+		err = filesig.VerifyTextFileChecksum(data, "#")
+	default:
+		return errors.New("unsupported file format")
+	}
+	if err != nil {
+		return err
+	}
+
+	fmt.Println("checksum verified")
+	return nil
+}

core.go

@@ -304,7 +304,7 @@ func (s *Session) Open(letter *Letter) ([]byte, error) { //nolint:gocognit,gocyc
 	for i := len(s.integratedCiphers) - 1; i >= 0; i-- {
 		data, err = s.integratedCiphers[i].AuthenticatedDecrypt(data, associatedData)
 		if err != nil {
-			return nil, fmt.Errorf("%w: [%s] %s", ErrIntegrityViolation, s.integratedCiphers[i].Info().Name, err)
+			return nil, fmt.Errorf("%w: [%s] %w", ErrIntegrityViolation, s.integratedCiphers[i].Info().Name, err)
 		}
 	}
 
@@ -312,7 +312,7 @@ func (s *Session) Open(letter *Letter) ([]byte, error) { //nolint:gocognit,gocyc
 	for i := len(s.ciphers) - 1; i >= 0; i-- {
 		data, err = s.ciphers[i].Decrypt(data)
 		if err != nil {
-			return nil, fmt.Errorf("%w: decryption failed: [%s] %s", ErrIntegrityViolation, s.ciphers[i].Info().Name, err)
+			return nil, fmt.Errorf("%w: decryption failed: [%s] %w", ErrIntegrityViolation, s.ciphers[i].Info().Name, err)
 		}
 	}
 

core_test.go

@@ -19,7 +19,7 @@ const (
 	Qui voluptates quod omnis rerum. Soluta dolore quia eius quo similique accusamus. Quisquam fugiat sed voluptatibus eos earum sed. Numquam quia at commodi aut esse ducimus enim.
 	Enim nihil architecto architecto. Reprehenderit at assumenda labore. Et ut sed ut inventore tenetur autem. Iusto et neque ab dolores eum. Praesentium amet sint ut voluptate impedit sit.
 	A accusantium ullam voluptatibus. Adipisci architecto minus dolore tenetur eos. Id illum quo neque laborum numquam laborum animi libero.
-	Debitis voluptatem non aut ex. Et et quis qui aut aut fugit accusantium. Est dolor quia accusantium culpa.
+	Debitis voluptatem non aut ex. Et et quis qui aut fugit accusantium. Est dolor quia accusantium culpa.
 	Facere iste dolor a qui. Earum aut facilis maxime repudiandae magnam. Laborum illum distinctio quo libero corrupti maxime. Eum nam officiis culpa nobis.
 	Et repellat qui ut quaerat error explicabo. Distinctio repudiandae sit dolores nam at. Suscipit aliquam alias ullam id.`
 

filesig/json.go

@@ -0,0 +1,197 @@
+package filesig
+
+import (
+	"errors"
+	"fmt"
+
+	"github.com/tidwall/gjson"
+	"github.com/tidwall/pretty"
+	"github.com/tidwall/sjson"
+	"golang.org/x/exp/slices"
+
+	"github.com/safing/jess/lhash"
+)
+
+// JSON file metadata keys.
+const (
+	JSONKeyPrefix    = "_jess-"
+	JSONChecksumKey  = JSONKeyPrefix + "checksum"
+	JSONSignatureKey = JSONKeyPrefix + "signature"
+)
+
+// AddJSONChecksum adds a checksum to a text file.
+func AddJSONChecksum(data []byte) ([]byte, error) {
+	// Extract content and metadata from json.
+	content, checksums, signatures, err := jsonSplit(data)
+	if err != nil {
+		return nil, err
+	}
+
+	// Calculate checksum.
+	h := lhash.BLAKE2b_256.Digest(content)
+	checksums = append(checksums, h.Base58())
+
+	// Sort and deduplicate checksums and sigs.
+	slices.Sort[[]string, string](checksums)
+	checksums = slices.Compact[[]string, string](checksums)
+	slices.Sort[[]string, string](signatures)
+	signatures = slices.Compact[[]string, string](signatures)
+
+	// Add metadata and return.
+	return jsonAddMeta(content, checksums, signatures)
+}
+
+// VerifyJSONChecksum checks a checksum in a text file.
+func VerifyJSONChecksum(data []byte) error {
+	// Extract content and metadata from json.
+	content, checksums, _, err := jsonSplit(data)
+	if err != nil {
+		return err
+	}
+
+	// Verify all checksums.
+	var checksumsVerified int
+	for _, checksum := range checksums {
+		// Parse checksum.
+		h, err := lhash.FromBase58(checksum)
+		if err != nil {
+			return fmt.Errorf("%w: failed to parse labeled hash: %w", ErrChecksumFailed, err)
+		}
+		// Verify checksum.
+		if !h.Matches(content) {
+			return ErrChecksumFailed
+		}
+		checksumsVerified++
+	}
+
+	// Fail when no checksums were verified.
+	if checksumsVerified == 0 {
+		return ErrChecksumMissing
+	}
+
+	return nil
+}
+
+func jsonSplit(data []byte) (
+	content []byte,
+	checksums []string,
+	signatures []string,
+	err error,
+) {
+	// Check json.
+	if !gjson.ValidBytes(data) {
+		return nil, nil, nil, errors.New("invalid json")
+	}
+	content = data
+
+	// Get checksums.
+	result := gjson.GetBytes(content, JSONChecksumKey)
+	if result.Exists() {
+		if result.IsArray() {
+			array := result.Array()
+			checksums = make([]string, 0, len(array))
+			for _, result := range array {
+				if result.Type == gjson.String {
+					checksums = append(checksums, result.String())
+				}
+			}
+		} else if result.Type == gjson.String {
+			checksums = []string{result.String()}
+		}
+
+		// Delete key.
+		content, err = sjson.DeleteBytes(content, JSONChecksumKey)
+		if err != nil {
+			return nil, nil, nil, err
+		}
+	}
+
+	// Get signatures.
+	result = gjson.GetBytes(content, JSONSignatureKey)
+	if result.Exists() {
+		if result.IsArray() {
+			array := result.Array()
+			signatures = make([]string, 0, len(array))
+			for _, result := range array {
+				if result.Type == gjson.String {
+					signatures = append(signatures, result.String())
+				}
+			}
+		} else if result.Type == gjson.String {
+			signatures = []string{result.String()}
+		}
+
+		// Delete key.
+		content, err = sjson.DeleteBytes(content, JSONSignatureKey)
+		if err != nil {
+			return nil, nil, nil, err
+		}
+	}
+
+	// Format for reproducible checksums and signatures.
+	content = pretty.PrettyOptions(content, &pretty.Options{
+		Width:    200,  // Must not change!
+		Prefix:   "",   // Must not change!
+		Indent:   " ",  // Must not change!
+		SortKeys: true, // Must not change!
+	})
+
+	return content, checksums, signatures, nil
+}
+
+func jsonAddMeta(data []byte, checksums, signatures []string) ([]byte, error) {
+	var (
+		err  error
+		opts = &sjson.Options{
+			ReplaceInPlace: true,
+		}
+	)
+
+	// Add checksums.
+	switch len(checksums) {
+	case 0:
+		// Skip
+	case 1:
+		// Add single checksum.
+		data, err = sjson.SetBytesOptions(
+			data, JSONChecksumKey, checksums[0], opts,
+		)
+	default:
+		// Add multiple checksums.
+		data, err = sjson.SetBytesOptions(
+			data, JSONChecksumKey, checksums, opts,
+		)
+	}
+	if err != nil {
+		return nil, err
+	}
+
+	// Add signatures.
+	switch len(signatures) {
+	case 0:
+		// Skip
+	case 1:
+		// Add single signature.
+		data, err = sjson.SetBytesOptions(
+			data, JSONSignatureKey, signatures[0], opts,
+		)
+	default:
+		// Add multiple signatures.
+		data, err = sjson.SetBytesOptions(
+			data, JSONSignatureKey, signatures, opts,
+		)
+	}
+	if err != nil {
+		return nil, err
+	}
+
+	// Final pretty print.
+	data = pretty.PrettyOptions(data, &pretty.Options{
+		Width:    200,  // Must not change!
+		Prefix:   "",   // Must not change!
+		Indent:   " ",  // Must not change!
+		SortKeys: true, // Must not change!
+	})
+
+	return data, nil
+}

filesig/json_test.go

@@ -0,0 +1,119 @@
+package filesig
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestJSONChecksums(t *testing.T) {
+	t.Parallel()
+
+	// Base test text file.
+	json := `{"a": "b", "c": 1}`
+
+	// Test with checksum after comment.
+
+	jsonWithChecksum := `{
+ "_jess-checksum": "ZwtAd75qvioh6uf1NAq64KRgTbqeehFVYmhLmrwu1s7xJo",
+ "a": "b",
+ "c": 1
+}
+`
+
+	testJSONWithChecksum, err := AddJSONChecksum([]byte(json))
+	assert.NoError(t, err, "should be able to add checksum")
+	assert.Equal(t, jsonWithChecksum, string(testJSONWithChecksum), "should match")
+	assert.NoError(t,
+		VerifyJSONChecksum(testJSONWithChecksum),
+		"checksum should be correct",
+	)
+
+	jsonWithChecksum = `{
+	"c": 1,     "a":"b",
+		"_jess-checksum": "ZwtAd75qvioh6uf1NAq64KRgTbqeehFVYmhLmrwu1s7xJo"
+	}`
+	assert.NoError(t,
+		VerifyJSONChecksum([]byte(jsonWithChecksum)),
+		"checksum should be correct",
+	)
+
+	jsonWithMultiChecksum := `{
+		"_jess-checksum": [
+			"PTV7S3Ca81aRk2kdNw7q2RfjLfEdPPT5Px5d211nhZedZC",
+			"PTV7S3Ca81aRk2kdNw7q2RfjLfEdPPT5Px5d211nhZedZC",
+			"CyDGH55DZUwa556DiYztMXaKZVBDjzWeFETiGmABMbvC3V"
+		],
+		"a": "b",
+		"c": 1
+	 }
+	 `
+	assert.NoError(t,
+		VerifyJSONChecksum([]byte(jsonWithMultiChecksum)),
+		"checksum should be correct",
+	)
+
+	jsonWithMultiChecksumOutput := `{
+ "_jess-checksum": ["CyDGH55DZUwa556DiYztMXaKZVBDjzWeFETiGmABMbvC3V", "PTV7S3Ca81aRk2kdNw7q2RfjLfEdPPT5Px5d211nhZedZC", "ZwtAd75qvioh6uf1NAq64KRgTbqeehFVYmhLmrwu1s7xJo"],
+ "a": "b",
+ "c": 1
+}
+`
+
+	testJSONWithMultiChecksum, err := AddJSONChecksum([]byte(jsonWithMultiChecksum))
+	assert.NoError(t, err, "should be able to add checksum")
+	assert.Equal(t, jsonWithMultiChecksumOutput, string(testJSONWithMultiChecksum), "should match")
+	assert.NoError(t,
+		VerifyJSONChecksum(testJSONWithMultiChecksum),
+		"checksum should be correct",
+	)
+
+	// 	// Test with multiple checksums.
+
+	// 	textWithMultiChecksum := `# jess-checksum: PTNktssvYCYjZXLFL2QoBk7DYoSz1qF7DJd5XNvtptd41B
+	// #!/bin/bash
+	// # Initial
+	// # Comment
+	// # Block
+	// # jess-checksum: Cy2TyVDjEStUqX3wCzCCKTfy228KaQK25ZDbHNmKiF8SPf
+
+	// do_something()
+
+	// # jess-checksum: YdgJFzuvFduk1MwRjZ2JkWQ6tCE1wkjn9xubSggKAdJSX5
+	// `
+	// 	assert.NoError(t,
+	// 		VerifyTextFileChecksum([]byte(textWithMultiChecksum), "#"),
+	// 		"checksum should be correct",
+	// 	)
+
+	// 	textWithMultiChecksumOutput := `#!/bin/bash
+	// # Initial
+	// # Comment
+	// # Block
+	// # jess-checksum: Cy2TyVDjEStUqX3wCzCCKTfy228KaQK25ZDbHNmKiF8SPf
+	// # jess-checksum: PTNktssvYCYjZXLFL2QoBk7DYoSz1qF7DJd5XNvtptd41B
+	// # jess-checksum: YdgJFzuvFduk1MwRjZ2JkWQ6tCE1wkjn9xubSggKAdJSX5
+	// # jess-checksum: ZwngYUfUBeUn99HSdrNxkWSNjqrgZuSpVrexeEYttBso5o
+
+	// do_something()
+	// `
+	// 	testTextWithMultiChecksumOutput, err := AddTextFileChecksum([]byte(textWithMultiChecksum), "#", AfterComment)
+	// 	assert.NoError(t, err, "should be able to add checksum")
+	// 	assert.Equal(t, textWithMultiChecksumOutput, string(testTextWithMultiChecksumOutput), "should match")
+
+	// 	// Test failing checksums.
+
+	// 	textWithFailingChecksums := `#!/bin/bash
+	// # Initial
+	// # Comment
+	// # Block
+	// # jess-checksum: Cy2TyVDjEStUqX3wCzCCKTfy228KaQK25ZDbHNmKiF8SPf
+	// # jess-checksum: PTNktssvYCYjZXLFL2QoBk7DYoSz1qF7DJd5XNvtptd41B
+	// # jess-checksum: YdgJFzuvFduk1MwRjZ2JkWQ6tCE1wkjn9xubSggKAdJSX5
+	// # jess-checksum: ZwngYUfUBeUn99HSdrNxkWSNjaaaaaaaaaaaaaaaaaaaaa
+
+	// do_something()
+	// `
+	//
+	//	assert.Error(t, VerifyTextFileChecksum([]byte(textWithFailingChecksums), "#"), "should fail")
+}

filesig/text.go

@@ -0,0 +1,232 @@
+package filesig
+
+import (
+	"bufio"
+	"bytes"
+	"errors"
+	"fmt"
+	"io"
+	"strings"
+
+	"golang.org/x/exp/slices"
+
+	"github.com/safing/jess/lhash"
+)
+
+// Text file metadata keys.
+const (
+	TextKeyPrefix    = "jess-"
+	TextChecksumKey  = TextKeyPrefix + "checksum"
+	TextSignatureKey = TextKeyPrefix + "signature"
+)
+
+// Text Operation Errors.
+var (
+	ErrChecksumMissing  = errors.New("no checksum found")
+	ErrChecksumFailed   = errors.New("checksum does not match")
+	ErrSignatureMissing = errors.New("signature not found")
+	ErrSignatureFailed  = errors.New("signature does not match")
+)
+
+// TextPlacement signifies where jess metadata is put in text files.
+type TextPlacement string
+
+const (
+	// TextPlacementTop places the metadata at end of file.
+	TextPlacementTop TextPlacement = "top"
+	// TextPlacementBottom places the metadata at end of file.
+	TextPlacementBottom TextPlacement = "bottom"
+	// TextPlacementAfterComment places the metadata at end of the top comment
+	// block, or at the top, if the first line is not a comment.
+	TextPlacementAfterComment TextPlacement = "after-comment"
+
+	defaultMetaPlacement = TextPlacementAfterComment
+)
+
+// AddTextFileChecksum adds a checksum to a text file.
+func AddTextFileChecksum(data []byte, commentSign string, placement TextPlacement) ([]byte, error) {
+	// Split text file into content and jess metadata lines.
+	content, metaLines, err := textSplit(data, commentSign)
+	if err != nil {
+		return nil, err
+	}
+
+	// Calculate checksum.
+	h := lhash.BLAKE2b_256.Digest(content)
+	metaLines = append(metaLines, TextChecksumKey+": "+h.Base58())
+
+	// Sort and deduplicate meta lines.
+	slices.Sort[[]string, string](metaLines)
+	metaLines = slices.Compact[[]string, string](metaLines)
+
+	// Add meta lines and return.
+	return textAddMeta(content, metaLines, commentSign, placement)
+}
+
+// VerifyTextFileChecksum checks a checksum in a text file.
+func VerifyTextFileChecksum(data []byte, commentSign string) error {
+	// Split text file into content and jess metadata lines.
+	content, metaLines, err := textSplit(data, commentSign)
+	if err != nil {
+		return err
+	}
+
+	// Verify all checksums.
+	var checksumsVerified int
+	for _, line := range metaLines {
+		if strings.HasPrefix(line, TextChecksumKey) {
+			// Clean key, delimiters and space.
+			line = strings.TrimPrefix(line, TextChecksumKey)
+			line = strings.TrimSpace(line)   // Spaces and newlines.
+			line = strings.Trim(line, ":= ") // Delimiters and spaces.
+			// Parse checksum.
+			h, err := lhash.FromBase58(line)
+			if err != nil {
+				return fmt.Errorf("%w: failed to parse labeled hash: %w", ErrChecksumFailed, err)
+			}
+			// Verify checksum.
+			if !h.Matches(content) {
+				return ErrChecksumFailed
+			}
+			checksumsVerified++
+		}
+	}
+
+	// Fail when no checksums were verified.
+	if checksumsVerified == 0 {
+		return ErrChecksumMissing
+	}
+
+	return nil
+}
+
+func textSplit(data []byte, commentSign string) (content []byte, metaLines []string, err error) {
+	metaLinePrefix := commentSign + " " + TextKeyPrefix
+	contentBuf := bytes.NewBuffer(make([]byte, 0, len(data)))
+	metaLines = make([]string, 0, 1)
+
+	// Find jess metadata lines.
+	s := bufio.NewScanner(bytes.NewReader(data))
+	s.Split(scanRawLines)
+	for s.Scan() {
+		if strings.HasPrefix(s.Text(), metaLinePrefix) {
+			metaLines = append(metaLines, strings.TrimSpace(strings.TrimPrefix(s.Text(), commentSign)))
+		} else {
+			_, _ = contentBuf.Write(s.Bytes())
+		}
+	}
+	if s.Err() != nil {
+		return nil, nil, s.Err()
+	}
+
+	return bytes.TrimSpace(contentBuf.Bytes()), metaLines, nil
+}
+
+func detectLineEndFormat(data []byte) (lineEnd string) {
+	i := bytes.IndexByte(data, '\n')
+	switch i {
+	case -1:
+		// Default to just newline.
+		return "\n"
+	case 0:
+		// File start with a newline.
+		return "\n"
+	default:
+		// First newline is at second byte or later.
+		if bytes.Equal(data[i-1:i+1], []byte("\r\n")) {
+			return "\r\n"
+		}
+		return "\n"
+	}
+}
+
+func textAddMeta(data []byte, metaLines []string, commentSign string, position TextPlacement) ([]byte, error) {
+	// Prepare new buffer.
+	requiredSize := len(data)
+	for _, line := range metaLines {
+		requiredSize += len(line) + len(commentSign) + 3 // space + CRLF
+	}
+	contentBuf := bytes.NewBuffer(make([]byte, 0, requiredSize))
+
+	// Find line ending.
+	lineEnd := detectLineEndFormat(data)
+
+	// Find jess metadata lines.
+	if position == "" {
+		position = defaultMetaPlacement
+	}
+
+	switch position {
+	case TextPlacementTop:
+		textWriteMetaLines(metaLines, commentSign, lineEnd, contentBuf)
+		contentBuf.Write(data)
+		// Add final newline.
+		contentBuf.WriteString(lineEnd)
+
+	case TextPlacementBottom:
+		contentBuf.Write(data)
+		// Add to newlines when appending, as content is first whitespace-stripped.
+		contentBuf.WriteString(lineEnd)
+		contentBuf.WriteString(lineEnd)
+		textWriteMetaLines(metaLines, commentSign, lineEnd, contentBuf)
+
+	case TextPlacementAfterComment:
+		metaWritten := false
+		s := bufio.NewScanner(bytes.NewReader(data))
+		s.Split(scanRawLines)
+		for s.Scan() {
+			switch {
+			case metaWritten:
+				_, _ = contentBuf.Write(s.Bytes())
+			case strings.HasPrefix(s.Text(), commentSign):
+				_, _ = contentBuf.Write(s.Bytes())
+			default:
+				textWriteMetaLines(metaLines, commentSign, lineEnd, contentBuf)
+				metaWritten = true
+				_, _ = contentBuf.Write(s.Bytes())
+			}
+		}
+		if s.Err() != nil {
+			return nil, s.Err()
+		}
+		// If we have scanned through the file, and meta was not written, write it now.
+		if !metaWritten {
+			textWriteMetaLines(metaLines, commentSign, lineEnd, contentBuf)
+		}
+		// Add final newline.
+		contentBuf.WriteString(lineEnd)
+	}
+
+	return contentBuf.Bytes(), nil
+}
+
+func textWriteMetaLines(metaLines []string, commentSign string, lineEnd string, writer io.StringWriter) {
+	for _, line := range metaLines {
+		_, _ = writer.WriteString(commentSign)
+		_, _ = writer.WriteString(" ")
+		_, _ = writer.WriteString(line)
+		_, _ = writer.WriteString(lineEnd)
+	}
+}
+
+// scanRawLines is a split function for a Scanner that returns each line of
+// text, including any trailing end-of-line marker. The returned line may
+// be empty. The end-of-line marker is one optional carriage return followed
+// by one mandatory newline. In regular expression notation, it is `\r?\n`.
+// The last non-empty line of input will be returned even if it has no
+// newline.
+func scanRawLines(data []byte, atEOF bool) (advance int, token []byte, err error) {
+	if atEOF && len(data) == 0 {
+		return 0, nil, nil
+	}
+	if i := bytes.IndexByte(data, '\n'); i >= 0 {
+		// We have a full newline-terminated line.
+		return i + 1, data[0 : i+1], nil
+	}
+	// If we're at EOF, we have a final, non-terminated line. Return it.
+	if atEOF {
+		return len(data), data, nil
+	}
+	// Request more data.
+	return 0, nil, nil
+}

filesig/text_test.go

@@ -0,0 +1,179 @@
+package filesig
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestTextChecksums(t *testing.T) {
+	t.Parallel()
+
+	// Base test text file.
+	text := `#!/bin/bash
+# Initial
+# Comment
+# Block
+
+do_something()`
+
+	// Test with checksum after comment.
+
+	textWithChecksumAfterComment := `#!/bin/bash
+# Initial
+# Comment
+# Block
+# jess-checksum: ZwngYUfUBeUn99HSdrNxkWSNjqrgZuSpVrexeEYttBso5o
+
+do_something()
+`
+
+	testTextWithChecksumAfterComment, err := AddTextFileChecksum([]byte(text), "#", TextPlacementAfterComment)
+	assert.NoError(t, err, "should be able to add checksum")
+	assert.Equal(t, textWithChecksumAfterComment, string(testTextWithChecksumAfterComment), "should match")
+	assert.NoError(t,
+		VerifyTextFileChecksum(testTextWithChecksumAfterComment, "#"),
+		"checksum should be correct",
+	)
+	assert.NoError(t,
+		VerifyTextFileChecksum(append(
+			[]byte("\n\n  \r\n"),
+			testTextWithChecksumAfterComment...,
+		), "#"),
+		"checksum should be correct",
+	)
+	assert.NoError(t,
+		VerifyTextFileChecksum(append(
+			testTextWithChecksumAfterComment,
+			[]byte("\r\n \n \n")...,
+		), "#"),
+		"checksum should be correct",
+	)
+
+	// Test with checksum at top.
+
+	textWithChecksumAtTop := `# jess-checksum: ZwngYUfUBeUn99HSdrNxkWSNjqrgZuSpVrexeEYttBso5o
+#!/bin/bash
+# Initial
+# Comment
+# Block
+
+do_something()
+`
+
+	testTextWithChecksumAtTop, err := AddTextFileChecksum([]byte(text), "#", TextPlacementTop)
+	assert.NoError(t, err, "should be able to add checksum")
+	assert.Equal(t, textWithChecksumAtTop, string(testTextWithChecksumAtTop), "should match")
+	assert.NoError(t,
+		VerifyTextFileChecksum(testTextWithChecksumAtTop, "#"),
+		"checksum should be correct",
+	)
+
+	// Test with checksum at bottom.
+
+	textWithChecksumAtBottom := `#!/bin/bash
+# Initial
+# Comment
+# Block
+
+do_something()
+
+# jess-checksum: ZwngYUfUBeUn99HSdrNxkWSNjqrgZuSpVrexeEYttBso5o
+`
+
+	testTextWithChecksumAtBottom, err := AddTextFileChecksum([]byte(text), "#", TextPlacementBottom)
+	assert.NoError(t, err, "should be able to add checksum")
+	assert.Equal(t, textWithChecksumAtBottom, string(testTextWithChecksumAtBottom), "should match")
+	assert.NoError(t,
+		VerifyTextFileChecksum(testTextWithChecksumAtBottom, "#"),
+		"checksum should be correct",
+	)
+
+	// Test with multiple checksums.
+
+	textWithMultiChecksum := `# jess-checksum: PTNktssvYCYjZXLFL2QoBk7DYoSz1qF7DJd5XNvtptd41B
+#!/bin/bash
+# Initial
+# Comment
+# Block
+# jess-checksum: Cy2TyVDjEStUqX3wCzCCKTfy228KaQK25ZDbHNmKiF8SPf
+
+do_something()
+
+# jess-checksum: YdgJFzuvFduk1MwRjZ2JkWQ6tCE1wkjn9xubSggKAdJSX5
+`
+	assert.NoError(t,
+		VerifyTextFileChecksum([]byte(textWithMultiChecksum), "#"),
+		"checksum should be correct",
+	)
+
+	textWithMultiChecksumOutput := `#!/bin/bash
+# Initial
+# Comment
+# Block
+# jess-checksum: Cy2TyVDjEStUqX3wCzCCKTfy228KaQK25ZDbHNmKiF8SPf
+# jess-checksum: PTNktssvYCYjZXLFL2QoBk7DYoSz1qF7DJd5XNvtptd41B
+# jess-checksum: YdgJFzuvFduk1MwRjZ2JkWQ6tCE1wkjn9xubSggKAdJSX5
+# jess-checksum: ZwngYUfUBeUn99HSdrNxkWSNjqrgZuSpVrexeEYttBso5o
+
+do_something()
+`
+	testTextWithMultiChecksumOutput, err := AddTextFileChecksum([]byte(textWithMultiChecksum), "#", TextPlacementAfterComment)
+	assert.NoError(t, err, "should be able to add checksum")
+	assert.Equal(t, textWithMultiChecksumOutput, string(testTextWithMultiChecksumOutput), "should match")
+
+	// Test failing checksums.
+
+	textWithFailingChecksums := `#!/bin/bash
+# Initial
+# Comment
+# Block
+# jess-checksum: Cy2TyVDjEStUqX3wCzCCKTfy228KaQK25ZDbHNmKiF8SPf
+# jess-checksum: PTNktssvYCYjZXLFL2QoBk7DYoSz1qF7DJd5XNvtptd41B
+# jess-checksum: YdgJFzuvFduk1MwRjZ2JkWQ6tCE1wkjn9xubSggKAdJSX5
+# jess-checksum: ZwngYUfUBeUn99HSdrNxkWSNjaaaaaaaaaaaaaaaaaaaaa
+
+do_something()
+`
+	assert.Error(t, VerifyTextFileChecksum([]byte(textWithFailingChecksums), "#"), "should fail")
+}
+
+func TestLineEndDetection(t *testing.T) {
+	t.Parallel()
+
+	assert.Equal(t,
+		"\n",
+		detectLineEndFormat(nil),
+		"empty data should default to simple lf ending",
+	)
+	assert.Equal(t,
+		"\n",
+		detectLineEndFormat([]byte("\n")),
+		"shoud detect lf ending with empty first line",
+	)
+	assert.Equal(t,
+		"\r\n",
+		detectLineEndFormat([]byte("\r\n")),
+		"shoud detect crlf ending with empty first line",
+	)
+	assert.Equal(t,
+		"\n",
+		detectLineEndFormat([]byte("abc\n")),
+		"shoud detect lf ending with data on single line",
+	)
+	assert.Equal(t,
+		"\r\n",
+		detectLineEndFormat([]byte("abc\r\n")),
+		"shoud detect crlf ending with data on single line",
+	)
+	assert.Equal(t,
+		"\n",
+		detectLineEndFormat([]byte("abc\nabc\r\n")),
+		"shoud detect lf ending with data on first line",
+	)
+	assert.Equal(t,
+		"\r\n",
+		detectLineEndFormat([]byte("abc\r\nabc\n")),
+		"shoud detect crlf ending with data on first line",
+	)
+}

filesig/text_yaml.go

@@ -0,0 +1,11 @@
+package filesig
+
+// AddYAMLChecksum adds a checksum to a yaml file.
+func AddYAMLChecksum(data []byte, placement TextPlacement) ([]byte, error) {
+	return AddTextFileChecksum(data, "#", placement)
+}
+
+// VerifyYAMLChecksum checks a checksum in a yaml file.
+func VerifyYAMLChecksum(data []byte) error {
+	return VerifyTextFileChecksum(data, "#")
+}

go.mod

@@ -1,16 +1,46 @@
 module github.com/safing/jess
 
-go 1.15
+go 1.20
 
 require (
-	github.com/AlecAivazis/survey/v2 v2.3.6
+	github.com/AlecAivazis/survey/v2 v2.3.7
 	github.com/aead/ecdh v0.2.0
 	github.com/mr-tron/base58 v1.2.0
-	github.com/safing/portbase v0.16.2
+	github.com/safing/portbase v0.18.5
 	github.com/satori/go.uuid v1.2.0
-	github.com/spf13/cobra v1.5.0
+	github.com/spf13/cobra v1.7.0
+	github.com/stretchr/testify v1.8.1
 	github.com/tevino/abool v1.2.0
-	github.com/zalando/go-keyring v0.2.1
-	golang.org/x/crypto v0.0.0-20221010152910-d6f0a8c073c2
-	golang.org/x/sys v0.0.0-20221010170243-090e33056c14 // indirect
+	github.com/tidwall/gjson v1.17.0
+	github.com/tidwall/pretty v1.2.1
+	github.com/tidwall/sjson v1.2.5
+	github.com/zalando/go-keyring v0.2.3
+	golang.org/x/crypto v0.14.0
+	golang.org/x/exp v0.0.0-20231006140011-7918f672742d
+)
+
+require (
+	github.com/alessio/shellescape v1.4.2 // indirect
+	github.com/danieljoos/wincred v1.2.0 // indirect
+	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/fxamacker/cbor/v2 v2.5.0 // indirect
+	github.com/ghodss/yaml v1.0.0 // indirect
+	github.com/godbus/dbus/v5 v5.1.0 // indirect
+	github.com/gofrs/uuid v4.4.0+incompatible // indirect
+	github.com/inconshreveable/mousetrap v1.1.0 // indirect
+	github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 // indirect
+	github.com/mattn/go-colorable v0.1.13 // indirect
+	github.com/mattn/go-isatty v0.0.20 // indirect
+	github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d // indirect
+	github.com/pmezard/go-difflib v1.0.0 // indirect
+	github.com/spf13/pflag v1.0.5 // indirect
+	github.com/tidwall/match v1.1.1 // indirect
+	github.com/vmihailenco/msgpack/v5 v5.4.0 // indirect
+	github.com/vmihailenco/tagparser/v2 v2.0.0 // indirect
+	github.com/x448/float16 v0.8.4 // indirect
+	golang.org/x/sys v0.13.0 // indirect
+	golang.org/x/term v0.13.0 // indirect
+	golang.org/x/text v0.13.0 // indirect
+	gopkg.in/yaml.v2 v2.4.0 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
 )

go.sum

@@ -1,211 +1,126 @@
-github.com/AlecAivazis/survey/v2 v2.3.6 h1:NvTuVHISgTHEHeBFqt6BHOe4Ny/NwGZr7w+F8S9ziyw=
-github.com/AlecAivazis/survey/v2 v2.3.6/go.mod h1:4AuI9b7RjAR+G7v9+C4YSlX/YL3K3cWNXgWXOhllqvI=
-github.com/AndreasBriese/bbloom v0.0.0-20190825152654-46b345b51c96/go.mod h1:bOvUY6CB00SOBii9/FifXqc0awNKxLFCL/+pkDPuyl8=
-github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
+github.com/AlecAivazis/survey/v2 v2.3.7 h1:6I/u8FvytdGsgonrYsVn2t8t4QiRnh6QSTqkkhIiSjQ=
+github.com/AlecAivazis/survey/v2 v2.3.7/go.mod h1:xUTIdE4KCOIjsBAE1JYsUPoCqYdZ1reCfTwbto0Fduo=
 github.com/Netflix/go-expect v0.0.0-20220104043353-73e0943537d2 h1:+vx7roKuyA63nhn5WAunQHLTznkw5W8b1Xc0dNjp83s=
 github.com/Netflix/go-expect v0.0.0-20220104043353-73e0943537d2/go.mod h1:HBCaDeC1lPdgDeDbhX8XFpy1jqjK0IBG8W5K+xYqA0w=
-github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU=
-github.com/VictoriaMetrics/metrics v1.22.2/go.mod h1:rAr/llLpEnAdTehiNlUxKgnjcOuROSzpw0GvjpEbvFc=
 github.com/aead/ecdh v0.2.0 h1:pYop54xVaq/CEREFEcukHRZfTdjiWvYIsZDXXrBapQQ=
 github.com/aead/ecdh v0.2.0/go.mod h1:a9HHtXuSo8J1Js1MwLQx2mBhkXMT6YwUmVVEY4tTB8U=
-github.com/aead/serpent v0.0.0-20160714141033-fba169763ea6/go.mod h1:3HgLJ9d18kXMLQlJvIY3+FszZYMxCz8WfE2MQ7hDY0w=
-github.com/alessio/shellescape v1.4.1 h1:V7yhSDDn8LP4lc4jS8pFkt0zCnzVJlG5JXy9BVKJUX0=
-github.com/alessio/shellescape v1.4.1/go.mod h1:PZAiSCk0LJaZkiCSkPv8qIobYglO3FPpyFjDCtHLS30=
-github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8=
-github.com/armon/go-radix v1.0.0/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8=
-github.com/bluele/gcache v0.0.2/go.mod h1:m15KV+ECjptwSPxKhOhQoAFQVtUFjTVkc3H8o0t/fp0=
-github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc=
-github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
-github.com/cespare/xxhash/v2 v2.1.2/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
-github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=
-github.com/coreos/go-etcd v2.0.0+incompatible/go.mod h1:Jez6KQU2B/sWsbdaef3ED8NzMklzPG4d5KIOhIy30Tk=
-github.com/coreos/go-semver v0.2.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=
-github.com/cpuguy83/go-md2man v1.0.10/go.mod h1:SmD6nW6nTyfqj6ABTjUi3V3JVMnlJmwcJI5acqYI6dE=
+github.com/alessio/shellescape v1.4.2 h1:MHPfaU+ddJ0/bYWpgIeUnQUqKrlJ1S7BfEYPM4uEoM0=
+github.com/alessio/shellescape v1.4.2/go.mod h1:PZAiSCk0LJaZkiCSkPv8qIobYglO3FPpyFjDCtHLS30=
 github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
 github.com/creack/pty v1.1.17 h1:QeVUsEDNrLBW4tMgZHvxy18sKtr6VI492kBhUfhDJNI=
 github.com/creack/pty v1.1.17/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4=
-github.com/danieljoos/wincred v1.1.0/go.mod h1:XYlo+eRTsVA9aHGp7NGjFkPla4m+DCL7hqDjlFjiygg=
-github.com/danieljoos/wincred v1.1.2 h1:QLdCxFs1/Yl4zduvBdcHB8goaYk9RARS2SgLLRuAyr0=
-github.com/danieljoos/wincred v1.1.2/go.mod h1:GijpziifJoIBfYh+S7BbkdUTU4LfM+QnGqR5Vl2tAx0=
+github.com/danieljoos/wincred v1.2.0 h1:ozqKHaLK0W/ii4KVbbvluM91W2H3Sh0BncbUNPS7jLE=
+github.com/danieljoos/wincred v1.2.0/go.mod h1:FzQLLMKBFdvu+osBrnFODiv32YGwCfx0SkRa/eYHgec=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/dgraph-io/badger v1.6.2/go.mod h1:JW2yswe3V058sS0kZ2h/AXeDSqFjxnZcRrVH//y2UQE=
-github.com/dgraph-io/ristretto v0.0.2/go.mod h1:KPxhHT9ZxKefz+PCeOGsrHpl1qZ7i70dGTu2u+Ahh6E=
-github.com/dgraph-io/ristretto v0.1.0/go.mod h1:fux0lOrBhrVCJd3lcTHsIJhq1T2rokOu6v9Vcb3Q9ug=
-github.com/dgryski/go-farm v0.0.0-20190423205320-6a90982ecee2/go.mod h1:SqUrOPUnsFjfmXRMNPybcSiG0BgUW2AuFH8PAnS2iTw=
-github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk=
-github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
-github.com/fxamacker/cbor/v2 v2.4.0 h1:ri0ArlOR+5XunOP8CRUowT0pSJOwhW098ZCUyskZD88=
-github.com/fxamacker/cbor/v2 v2.4.0/go.mod h1:TA1xS00nchWmaBnEIxPSE5oHLuJBAVvqrtAnWBwBCVo=
-github.com/go-ole/go-ole v1.2.6/go.mod h1:pprOEPIfldk/42T2oK7lQ4v4JSDwmV0As9GaiUsvbm0=
-github.com/godbus/dbus/v5 v5.0.6/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
+github.com/fxamacker/cbor/v2 v2.5.0 h1:oHsG0V/Q6E/wqTS2O1Cozzsy69nqCiguo5Q1a1ADivE=
+github.com/fxamacker/cbor/v2 v2.5.0/go.mod h1:TA1xS00nchWmaBnEIxPSE5oHLuJBAVvqrtAnWBwBCVo=
+github.com/ghodss/yaml v1.0.0 h1:wQHKEahhL6wmXdzwWG11gIVCkOv05bNOh+Rxn0yngAk=
+github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
 github.com/godbus/dbus/v5 v5.1.0 h1:4KLkAxT3aOY8Li4FRJe/KvhoNFFxo0m6fNuFUO8QJUk=
 github.com/godbus/dbus/v5 v5.1.0/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
-github.com/gofrs/uuid v4.2.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM=
-github.com/gofrs/uuid v4.3.0+incompatible h1:CaSVZxm5B+7o45rtab4jC2G37WGYX1zQfuU2i6DSvnc=
-github.com/gofrs/uuid v4.3.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM=
-github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
-github.com/golang/glog v1.0.0/go.mod h1:EWib/APOK0SL3dFbYqvxE3UYd8E6s1ouQ7iEp/0LWV4=
-github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
-github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
-github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
-github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/gorilla/mux v1.8.0/go.mod h1:DVbg23sWSpFRCP0SfiEN6jmj59UnW/n46BH5rLB71So=
-github.com/gorilla/websocket v1.5.0/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
-github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
-github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
-github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM=
-github.com/hashicorp/go-version v1.6.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA=
-github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ=
+github.com/gofrs/uuid v4.4.0+incompatible h1:3qXRTX8/NbyulANqlc0lchS1gqAVxRgsuW1YrTJupqA=
+github.com/gofrs/uuid v4.4.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM=
 github.com/hinshun/vt10x v0.0.0-20220119200601-820417d04eec h1:qv2VnGeEQHchGaZ/u7lxST/RaJw+cv273q79D81Xbog=
 github.com/hinshun/vt10x v0.0.0-20220119200601-820417d04eec/go.mod h1:Q48J4R4DvxnHolD5P8pOtXigYlRuPLGl6moFx3ulM68=
-github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8=
-github.com/inconshreveable/mousetrap v1.0.1 h1:U3uMjPSQEBMNp1lFxmllqCPM6P5u/Xq7Pgzkat/bFNc=
-github.com/inconshreveable/mousetrap v1.0.1/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
+github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
+github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
 github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 h1:Z9n2FFNUXsshfwJMBgNA0RU6/i7WVaAegv3PtuIHPMs=
 github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51/go.mod h1:CzGEWj7cYgsdH8dAjBGEr58BoE7ScuLd+fwFZ44+/x8=
-github.com/kr/pretty v0.2.0 h1:s5hAObm+yFO5uHYt5dYjxi2rXrsnmRpJx4OYvIWUaQs=
-github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
-github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
-github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE=
-github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
-github.com/magiconair/properties v1.8.0/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ=
 github.com/mattn/go-colorable v0.1.2/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE=
 github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA=
 github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg=
 github.com/mattn/go-isatty v0.0.8/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s=
-github.com/mattn/go-isatty v0.0.16 h1:bq3VjFmv/sOjHtdEhmkEV4x1AJtvUvOJ2PFAZ5+peKQ=
 github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
+github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
+github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
 github.com/mgutz/ansi v0.0.0-20170206155736-9520e82c474b/go.mod h1:01TrycV0kFyexm33Z7vhZRXopbI8J3TDReVlkTgMUxE=
 github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d h1:5PJl274Y63IEHC+7izoQE9x6ikvDFZS2mDVS3drnohI=
 github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d/go.mod h1:01TrycV0kFyexm33Z7vhZRXopbI8J3TDReVlkTgMUxE=
-github.com/mitchellh/copystructure v1.2.0/go.mod h1:qLl+cE2AmVv+CoeAwDPye/v+N2HKCj9FbZEVFJRxO9s=
-github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
-github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
-github.com/mitchellh/reflectwalk v1.0.2/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw=
 github.com/mr-tron/base58 v1.2.0 h1:T/HDJBh4ZCPbU39/+c3rRvE0uKBQlU27+QI8LJ4t64o=
 github.com/mr-tron/base58 v1.2.0/go.mod h1:BinMc/sQntlIE1frQmRFPUoPA1Zkr8VRgBdjWI2mNwc=
-github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic=
-github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
-github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/russross/blackfriday v1.5.2/go.mod h1:JO/DiYxRf+HjHt06OyowR9PTA263kcR/rfWxYHBV53g=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
-github.com/safing/jess v0.3.0/go.mod h1:JbYsPk5iJZx0OXDZeMcjS9qEdkGVUg+DCA8Fw2LdN9s=
-github.com/safing/portbase v0.15.2/go.mod h1:5bHi99fz7Hh/wOsZUOI631WF9ePSHk57c4fdlOMS91Y=
-github.com/safing/portbase v0.16.2 h1:ZlCZBZkKmgJDR+sHSRbFc9mM8m9qYtu8agE1xCirvQU=
-github.com/safing/portbase v0.16.2/go.mod h1:mzNCWqPbO7vIYbbK5PElGbudwd2vx4YPNawymL8Aro8=
+github.com/safing/portbase v0.18.5 h1:BgIBpreSNOnyHqx6Ovx3xJMkX2yOa3A2uLpfVBbfJPM=
+github.com/safing/portbase v0.18.5/go.mod h1:qhhLjrr5iEGU9r7RZ6hJdtulOeycJ0d0jq95ZxGJ9Hs=
 github.com/satori/go.uuid v1.2.0 h1:0uYX9dsZ2yD7q2RtLRtPSdGDWzjeM3TbMJP9utgA0ww=
 github.com/satori/go.uuid v1.2.0/go.mod h1:dA0hQrYB0VpLJoorglMZABFdXlWrHn1NEOzdhQKdks0=
-github.com/seehuhn/fortuna v1.0.1/go.mod h1:LX8ubejCnUoT/hX+1aKUtbKls2H6DRkqzkc7TdR3iis=
-github.com/seehuhn/sha256d v1.0.0/go.mod h1:PEuxg9faClSveVuFXacQmi+NtDI/PX8bpKjtNzf2+s4=
-github.com/shirou/gopsutil v3.21.11+incompatible/go.mod h1:5b4v6he4MtMOwMlS0TUMTu2PcXUg8+E1lC7eC3UO/RA=
-github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA=
-github.com/spaolacci/murmur3 v1.1.0/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA=
-github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B0CQ=
-github.com/spf13/cast v1.3.0/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE=
-github.com/spf13/cobra v0.0.5/go.mod h1:3K3wKZymM7VvHMDS9+Akkh4K60UwM26emMESw8tLCHU=
-github.com/spf13/cobra v1.5.0 h1:X+jTBEBqF0bHN+9cSMgmfuvv2VHJ9ezmFNf9Y/XstYU=
-github.com/spf13/cobra v1.5.0/go.mod h1:dWXEIy2H428czQCjInthrTRUg7yKbok+2Qi/yBIJoUM=
-github.com/spf13/jwalterweatherman v1.0.0/go.mod h1:cQK4TGJAtQXfYWX+Ddv3mKDzgVb68N+wFjFa4jdeBTo=
-github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
+github.com/spf13/cobra v1.7.0 h1:hyqWnYt1ZQShIddO5kBpj3vu05/++x6tJ6dg8EC572I=
+github.com/spf13/cobra v1.7.0/go.mod h1:uLxZILRyS/50WlhOIKD7W6V5bgeIt+4sICxh6uRMrb0=
 github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
 github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
-github.com/spf13/viper v1.3.2/go.mod h1:ZiWeW+zYFKm7srdB9IoDzzZXaJaI5eL9QjNiN/DMA2s=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
-github.com/stretchr/objx v0.4.0 h1:M2gUjqZET1qApGOWNSnZ49BAIMX4F/1plDv3+l31EJ4=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
-github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
-github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
-github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
+github.com/stretchr/objx v0.5.0 h1:1zr/of2m5FGMsad5YfcqgdqdWrIhu+EBEJRhR1U7z/c=
+github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
 github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-github.com/stretchr/testify v1.8.0 h1:pSgiaMZlXftHpm5L7V1+rVB+AZJydKsMxsQBIJw4PKk=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
+github.com/stretchr/testify v1.8.1 h1:w7B6lhMri9wdJUVmEZPGGhZzrYTPvgJArz7wNPgYKsk=
+github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
 github.com/tevino/abool v1.2.0 h1:heAkClL8H6w+mK5md9dzsuohKeXHUpY7Vw0ZCKW+huA=
 github.com/tevino/abool v1.2.0/go.mod h1:qc66Pna1RiIsPa7O4Egxxs9OqkuxDX55zznh9K07Tzg=
 github.com/tidwall/gjson v1.14.2/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk=
-github.com/tidwall/gjson v1.14.3/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk=
+github.com/tidwall/gjson v1.17.0 h1:/Jocvlh98kcTfpN2+JzGQWQcqrPQwDrVEMApx/M5ZwM=
+github.com/tidwall/gjson v1.17.0/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk=
+github.com/tidwall/match v1.1.1 h1:+Ho715JplO36QYgwN9PGYNhgZvoUSc9X2c80KVTi+GA=
 github.com/tidwall/match v1.1.1/go.mod h1:eRSPERbgtNPcGhD8UCthc6PmLEQXEWd3PRB5JTxsfmM=
 github.com/tidwall/pretty v1.2.0/go.mod h1:ITEVvHYasfjBbM0u2Pg8T2nJnzm8xPwvNhhsoaGGjNU=
+github.com/tidwall/pretty v1.2.1 h1:qjsOFOWWQl+N3RsoF5/ssm1pHmJJwhjlSbZ51I6wMl4=
+github.com/tidwall/pretty v1.2.1/go.mod h1:ITEVvHYasfjBbM0u2Pg8T2nJnzm8xPwvNhhsoaGGjNU=
+github.com/tidwall/sjson v1.2.5 h1:kLy8mja+1c9jlljvWTlSazM7cKDRfJuR/bOJhcY5NcY=
 github.com/tidwall/sjson v1.2.5/go.mod h1:Fvgq9kS/6ociJEDnK0Fk1cpYF4FIW6ZF7LAe+6jwd28=
-github.com/tklauser/go-sysconf v0.3.9/go.mod h1:11DU/5sG7UexIrp/O6g35hrWzu0JxlwQ3LSFUzyeuhs=
-github.com/tklauser/go-sysconf v0.3.10/go.mod h1:C8XykCvCb+Gn0oNCWPIlcb0RuglQTYaQ2hGm7jmxEFk=
-github.com/tklauser/numcpus v0.3.0/go.mod h1:yFGUr7TUHQRAhyqBcEg0Ge34zDBAsIvJJcyE6boqnA8=
-github.com/tklauser/numcpus v0.4.0/go.mod h1:1+UI3pD8NW14VMwdgJNJ1ESk2UnwhAnz5hMwiKKqXCQ=
-github.com/tklauser/numcpus v0.5.0/go.mod h1:OGzpTxpcIMNGYQdit2BYL1pvk/dSOaJWjKoflh+RQjo=
-github.com/ugorji/go/codec v0.0.0-20181204163529-d75b2dcb6bc8/go.mod h1:VFNgLljTbGfSG7qAOspJ7OScBnGdDN/yBr0sguwnwf0=
-github.com/valyala/fastrand v1.1.0/go.mod h1:HWqCzkrkg6QXT8V2EXWvXCoow7vLwOFN002oeRzjapQ=
-github.com/valyala/histogram v1.2.0/go.mod h1:Hb4kBwb4UxsaNbbbh+RRz8ZR6pdodR57tzWUS3BUzXY=
-github.com/vmihailenco/msgpack/v5 v5.3.5 h1:5gO0H1iULLWGhs2H5tbAHIZTV8/cYafcFOr9znI5mJU=
-github.com/vmihailenco/msgpack/v5 v5.3.5/go.mod h1:7xyJ9e+0+9SaZT0Wt1RGleJXzli6Q/V5KbhBonMG9jc=
+github.com/vmihailenco/msgpack/v5 v5.4.0 h1:hRM0digJwyR6vll33NNAwCFguy5JuBD6jxDmQP3l608=
+github.com/vmihailenco/msgpack/v5 v5.4.0/go.mod h1:GaZTsDaehaPpQVyxrf5mtQlH+pc21PIudVV/E3rRQok=
 github.com/vmihailenco/tagparser/v2 v2.0.0 h1:y09buUbR+b5aycVFQs/g70pqKVZNBmxwAhO7/IwNM9g=
 github.com/vmihailenco/tagparser/v2 v2.0.0/go.mod h1:Wri+At7QHww0WTrCBeu4J6bNtoV6mEfg5OIWRZA9qds=
 github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
 github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
-github.com/xordataexchange/crypt v0.0.3-0.20170626215501-b2862e3d0a77/go.mod h1:aYKd//L2LvnjZzWKhF00oedf4jCCReLcmhLdhm1A27Q=
-github.com/yusufpapurcu/wmi v1.2.2/go.mod h1:SBZ9tNy3G9/m5Oi98Zks0QjeHVDvuK0qfxQmPyzfmi0=
-github.com/zalando/go-keyring v0.2.1 h1:MBRN/Z8H4U5wEKXiD67YbDAr5cj/DOStmSga70/2qKc=
-github.com/zalando/go-keyring v0.2.1/go.mod h1:g63M2PPn0w5vjmEbwAX3ib5I+41zdm4esSETOn9Y6Dw=
-go.etcd.io/bbolt v1.3.6/go.mod h1:qXsaaIqmgQH0T+OPdb99Bf+PKfBBQVAdyD6TY9G8XM4=
-golang.org/x/crypto v0.0.0-20181203042331-505ab145d0a9/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
+github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
+github.com/zalando/go-keyring v0.2.3 h1:v9CUu9phlABObO4LPWycf+zwMG7nlbb3t/B5wa97yms=
+github.com/zalando/go-keyring v0.2.3/go.mod h1:HL4k+OXQfJUWaMnqyuSOc0drfGPX2b51Du6K+MRgZMk=
 golang.org/x/crypto v0.0.0-20190211182817-74369b46fc67/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
-golang.org/x/crypto v0.0.0-20220926161630-eccd6366d1be/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
-golang.org/x/crypto v0.0.0-20221010152910-d6f0a8c073c2 h1:x8vtB3zMecnlqZIwJNUUpwYKYSqCz5jXbiyv0ZJJZeI=
-golang.org/x/crypto v0.0.0-20221010152910-d6f0a8c073c2/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
+golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
+golang.org/x/crypto v0.14.0 h1:wBqGXzWJW6m1XrIKlAH0Hs1JJ7+9KBwnIO8v66Q9cHc=
+golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf4=
+golang.org/x/exp v0.0.0-20231006140011-7918f672742d h1:jtJma62tbqLibJ5sFQz8bKtEM8rJBtfilJ2qTU199MI=
+golang.org/x/exp v0.0.0-20231006140011-7918f672742d/go.mod h1:ldy0pHrwJyGW56pPQzzkH36rKxoZW1tw7ZJpeKx+hdo=
+golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
-golang.org/x/net v0.0.0-20220927171203-f486391704dc/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk=
-golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20220923202941-7f9b1623fab7/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sys v0.0.0-20181205085412-a5c9d58dba9a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
+golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
+golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20190626221950-04f50cda93cb/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190916202348-b4ddaad3f8a3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200923182605-d9f96fdee20d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20210816074244-15123e1e1f71/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20210819135213-f52c844e1c1c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220128215802-99c3d69c2c27/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220209214540-3681064d5158/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220422013727-9388b58f7150/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220503163025-988cb79eb6c6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220928140112-f11e5e49a4ec/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20221010170243-090e33056c14 h1:k5II8e6QD8mITdi+okbbmR/cIyEbeXLBhy5Ha4nevyc=
-golang.org/x/sys v0.0.0-20221010170243-090e33056c14/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.13.0 h1:Af8nKPmuFypiUBjVoU9V20FiaFXOcuZI21p0ycVYYGE=
+golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
-golang.org/x/term v0.0.0-20210503060354-a79de5458b56/go.mod h1:tfny5GFUkzUvx4ps4ajbZsCe5lw1metzhBm9T3x7oIY=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
-golang.org/x/term v0.0.0-20220919170432-7a66f970e087 h1:tPwmk4vmvVCMdr98VgL4JH+qZxPL8fqlUOHnyOM8N3w=
-golang.org/x/term v0.0.0-20220919170432-7a66f970e087/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
+golang.org/x/term v0.13.0 h1:bb+I9cTfFazGW51MZqBVmZy7+JEJMouUHTUSKVQLBek=
+golang.org/x/term v0.13.0/go.mod h1:LTmsnFJwVN6bCy1rVCoS+qHT1HhALEFxKncY3WNNh4U=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.3.7 h1:olpwvP2KacW1ZWvsR7uQhoyTYvKAupfQrRGBFM352Gk=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
+golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
+golang.org/x/text v0.13.0 h1:ablQoSUd0tRdKxZewP80B+BaqeKJuVhuRxj/dkrun3k=
+golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
-google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
-google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
-google.golang.org/protobuf v1.28.1/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
+golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
+golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 h1:YR8cESwS4TdDjEe65xsg0ogRM/Nc3DYOhEAlW+xobZo=
-gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
 gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=

session.go

@@ -369,7 +369,7 @@ func newSession(e *Envelope) (*Session, error) { //nolint:maintidx
 	// final checks
 	// ============
 
-	// check requirements requirements
+	// check requirements
 	if s.toolRequirements.Empty() {
 		return nil, errors.New("envelope excludes all security requirements, no meaningful operation possible")
 	}
@@ -518,7 +518,7 @@ func (s *Session) checkSecurityLevel(levelToCheck int, subject func() string) er
 	switch {
 	case minimumSecurityLevel > 0:
 		// check against minimumSecurityLevel
-		// minimumSecurityLevel overrides other checks
+		// (overrides other checks)
 		if levelToCheck < minimumSecurityLevel {
 			return fmt.Errorf(
 				`%s with a security level of %d is weaker than the desired security level of %d`,

suites.go

@@ -67,19 +67,19 @@ var (
 
 	// Currently Recommended Suites.
 
-	// SuiteKey is a a cipher suite for encryption with a key.
+	// SuiteKey is a cipher suite for encryption with a key.
 	SuiteKey = SuiteKeyV1
-	// SuitePassword is a a cipher suite for encryption with a password.
+	// SuitePassword is a cipher suite for encryption with a password.
 	SuitePassword = SuitePasswordV1
-	// SuiteRcptOnly is a a cipher suite for encrypting for someone, but without verifying the sender/source.
+	// SuiteRcptOnly is a cipher suite for encrypting for someone, but without verifying the sender/source.
 	SuiteRcptOnly = SuiteRcptOnlyV1
-	// SuiteSign is a a cipher suite for signing (no encryption).
+	// SuiteSign is a cipher suite for signing (no encryption).
 	SuiteSign = SuiteSignV1
-	// SuiteSignFile is a a cipher suite for signing files (no encryption).
+	// SuiteSignFile is a cipher suite for signing files (no encryption).
 	SuiteSignFile = SuiteSignFileV1
-	// SuiteComplete is a a cipher suite for both encrypting for someone and signing.
+	// SuiteComplete is a cipher suite for both encrypting for someone and signing.
 	SuiteComplete = SuiteCompleteV1
-	// SuiteWire is a a cipher suite for network communication, including authentication of the server, but not the client.
+	// SuiteWire is a cipher suite for network communication, including authentication of the server, but not the client.
 	SuiteWire = SuiteWireV1
 )
 

suites_test.go

@@ -294,7 +294,7 @@ func suiteBullshitCheck(suite *Suite) error { //nolint:maintidx
 	// final checks
 	// ============
 
-	// check requirements requirements
+	// check requirements
 	if s.toolRequirements.Empty() {
 		return errors.New("suite does not provide any security attributes")
 	}

tools/toollogic.go

@@ -101,7 +101,7 @@ type ToolLogic interface {
 
 	// Signet Handling
 
-	// LoadKey loads a key from the Signet's key storage (`Key`) into the Signet's cache (`Loaded*`). If the Signet is marked as public, the storage is expected to only have the public key present, only only it will be loaded.
+	// LoadKey loads a key from the Signet's key storage (`Key`) into the Signet's cache (`Loaded*`). If the Signet is marked as public, the storage is expected to only have the public key present, only it will be loaded.
 	// Must work with a static (no Setup()) ToolLogic.
 	// Must be overridden by tools that declare FeatureKeyExchange, FeatureKeyEncapsulation or FeatureSigning.
 	LoadKey(SignetInt) error

truststores/keyring.go

@@ -58,7 +58,7 @@ func (krts *KeyringTrustStore) GetSignet(id string, recipient bool) (*jess.Signe
 	// Get data from keyring.
 	data, err := keyring.Get(krts.serviceName, id)
 	if err != nil {
-		return nil, fmt.Errorf("%w: %s", jess.ErrSignetNotFound, err)
+		return nil, fmt.Errorf("%w: %w", jess.ErrSignetNotFound, err)
 	}
 
 	// Parse and return.
@@ -111,7 +111,7 @@ func (krts *KeyringTrustStore) GetEnvelope(name string) (*jess.Envelope, error)
 	// Get data from keyring.
 	data, err := keyring.Get(krts.serviceName, name)
 	if err != nil {
-		return nil, fmt.Errorf("%w: %s", jess.ErrEnvelopeNotFound, err)
+		return nil, fmt.Errorf("%w: %w", jess.ErrEnvelopeNotFound, err)
 	}
 
 	// Parse and return.