chore: bump Fulcio to 1.8.4

internal/cache/api/api.go

@@ -12,7 +12,7 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-package api
+package cacheapi
 
 import "github.com/sigstore/gitsign/internal/config"
 

internal/cache/cache_test.go

@@ -29,7 +29,7 @@ import (
 	"github.com/github/smimesign/fakeca"
 	"github.com/google/go-cmp/cmp"
 	"github.com/sigstore/gitsign/internal/cache"
-	"github.com/sigstore/gitsign/internal/cache/api"
+	cacheapi "github.com/sigstore/gitsign/internal/cache/api"
 	"github.com/sigstore/gitsign/internal/cache/service"
 	"github.com/sigstore/sigstore/pkg/cryptoutils"
 )
@@ -72,13 +72,13 @@ func TestCache(t *testing.T) {
 	host, _ := os.Hostname()
 	wd, _ := os.Getwd()
 	id := fmt.Sprintf("%s@%s", host, wd)
-	cred := new(api.Credential)
-	if err := client.Client.Call("Service.GetCredential", &api.GetCredentialRequest{ID: id}, cred); err != nil {
+	cred := new(cacheapi.Credential)
+	if err := client.Client.Call("Service.GetCredential", &cacheapi.GetCredentialRequest{ID: id}, cred); err != nil {
 		t.Fatal(err)
 	}
 
 	privPEM, _ := cryptoutils.MarshalPrivateKeyToPEM(priv)
-	want := &api.Credential{
+	want := &cacheapi.Credential{
 		PrivateKey: privPEM,
 		Cert:       certPEM,
 	}

internal/cache/client.go

@@ -24,7 +24,7 @@ import (
 	"os"
 	"time"
 
-	"github.com/sigstore/gitsign/internal/cache/api"
+	cacheapi "github.com/sigstore/gitsign/internal/cache/api"
 	"github.com/sigstore/gitsign/internal/config"
 	"github.com/sigstore/sigstore/pkg/cryptoutils"
 )
@@ -40,8 +40,8 @@ func (c *Client) GetCredentials(_ context.Context, cfg *config.Config) (crypto.P
 	if err != nil {
 		return nil, nil, nil, fmt.Errorf("error getting credential ID: %w", err)
 	}
-	resp := new(api.Credential)
-	if err := c.Client.Call("Service.GetCredential", api.GetCredentialRequest{
+	resp := new(cacheapi.Credential)
+	if err := c.Client.Call("Service.GetCredential", cacheapi.GetCredentialRequest{
 		ID:     id,
 		Config: cfg,
 	}, resp); err != nil {
@@ -96,14 +96,14 @@ func (c *Client) StoreCert(_ context.Context, priv crypto.PrivateKey, cert, chai
 		return err
 	}
 
-	if err := c.Client.Call("Service.StoreCredential", api.StoreCredentialRequest{
+	if err := c.Client.Call("Service.StoreCredential", cacheapi.StoreCredentialRequest{
 		ID: id,
-		Credential: &api.Credential{
+		Credential: &cacheapi.Credential{
 			PrivateKey: privPEM,
 			Cert:       cert,
 			Chain:      chain,
 		},
-	}, new(api.Credential)); err != nil {
+	}, new(cacheapi.Credential)); err != nil {
 		return err
 	}
 

internal/cache/service/service.go

@@ -21,7 +21,7 @@ import (
 	"time"
 
 	"github.com/patrickmn/go-cache"
-	"github.com/sigstore/gitsign/internal/cache/api"
+	cacheapi "github.com/sigstore/gitsign/internal/cache/api"
 	"github.com/sigstore/gitsign/internal/fulcio"
 	"github.com/sigstore/sigstore/pkg/cryptoutils"
 )
@@ -42,7 +42,7 @@ func NewService() *Service {
 	return s
 }
 
-func (s *Service) StoreCredential(req api.StoreCredentialRequest, resp *api.Credential) error {
+func (s *Service) StoreCredential(req cacheapi.StoreCredentialRequest, resp *cacheapi.Credential) error {
 	fmt.Println("Store", req.ID)
 	if err := s.store.Add(req.ID, req.Credential, 10*time.Minute); err != nil {
 		return err
@@ -51,13 +51,13 @@ func (s *Service) StoreCredential(req api.StoreCredentialRequest, resp *api.Cred
 	return nil
 }
 
-func (s *Service) GetCredential(req api.GetCredentialRequest, resp *api.Credential) error {
+func (s *Service) GetCredential(req cacheapi.GetCredentialRequest, resp *cacheapi.Credential) error {
 	ctx := context.Background()
 	fmt.Println("Get", req.ID)
 	i, ok := s.store.Get(req.ID)
 	if ok {
 		fmt.Println("gitsign-credential-cache: found credential!")
-		cred, ok := i.(*api.Credential)
+		cred, ok := i.(*cacheapi.Credential)
 		if !ok {
 			return fmt.Errorf("unknown credential type %T", i)
 		}
@@ -81,7 +81,7 @@ func (s *Service) GetCredential(req api.GetCredentialRequest, resp *api.Credenti
 	if err != nil {
 		return err
 	}
-	cred := &api.Credential{
+	cred := &cacheapi.Credential{
 		PrivateKey: privPEM,
 		Cert:       id.CertPEM,
 		Chain:      id.ChainPEM,

internal/commands/root/root.go

@@ -25,7 +25,7 @@ import (
 	verifytag "github.com/sigstore/gitsign/internal/commands/verify-tag"
 	"github.com/sigstore/gitsign/internal/commands/version"
 	"github.com/sigstore/gitsign/internal/config"
-	"github.com/sigstore/gitsign/internal/io"
+	"github.com/sigstore/gitsign/internal/streams"
 )
 
 type options struct {
@@ -66,7 +66,7 @@ func New(cfg *config.Config) *cobra.Command {
 		Args:              cobra.ArbitraryArgs,
 		DisableAutoGenTag: true,
 		RunE: func(cmd *cobra.Command, args []string) error {
-			s := io.New(o.Config.LogPath)
+			s := streams.New(o.Config.LogPath)
 			defer s.Close()
 			return s.Wrap(func() error {
 				switch {

internal/commands/root/sign.go

@@ -26,15 +26,15 @@ import (
 	"github.com/sigstore/gitsign/internal/fulcio"
 	"github.com/sigstore/gitsign/internal/git"
 	"github.com/sigstore/gitsign/internal/gpg"
-	gsio "github.com/sigstore/gitsign/internal/io"
 	"github.com/sigstore/gitsign/internal/rekor"
 	"github.com/sigstore/gitsign/internal/signature"
+	"github.com/sigstore/gitsign/internal/streams"
 )
 
 // commandSign implements gitsign commit signing.
 // This is implemented as a root command so that user can specify the
 // gitsign binary directly in their gitconfigs.
-func commandSign(o *options, s *gsio.Streams, args ...string) error {
+func commandSign(o *options, s *streams.Streams, args ...string) error {
 	ctx := context.Background()
 
 	// Flag validation

internal/commands/root/verify.go

@@ -26,13 +26,13 @@ import (
 	"github.com/sigstore/gitsign/internal/commands/verify"
 	"github.com/sigstore/gitsign/internal/gitsign"
 	"github.com/sigstore/gitsign/internal/gpg"
-	gsio "github.com/sigstore/gitsign/internal/io"
+	"github.com/sigstore/gitsign/internal/streams"
 )
 
 // commandSign implements gitsign commit verification.
 // This is implemented as a root command so that user can specify the
 // gitsign binary directly in their gitconfigs.
-func commandVerify(o *options, s *gsio.Streams, args ...string) error {
+func commandVerify(o *options, s *streams.Streams, args ...string) error {
 	ctx := context.Background()
 
 	// Flag validation
@@ -91,7 +91,7 @@ func commandVerify(o *options, s *gsio.Streams, args ...string) error {
 	return nil
 }
 
-func readAttached(s *gsio.Streams, args ...string) ([]byte, error) {
+func readAttached(s *streams.Streams, args ...string) ([]byte, error) {
 	var (
 		f   io.Reader
 		err error
@@ -117,7 +117,7 @@ func readAttached(s *gsio.Streams, args ...string) ([]byte, error) {
 	return sig.Bytes(), nil
 }
 
-func readDetached(s *gsio.Streams, args ...string) ([]byte, []byte, error) {
+func readDetached(s *streams.Streams, args ...string) ([]byte, []byte, error) {
 	// Read in signature
 	sigFile, err := os.Open(args[0])
 	if err != nil {

internal/io/streams.go

@@ -13,7 +13,7 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-package io
+package streams
 
 import (
 	"fmt"

internal/streams/streams.go

@@ -0,0 +1,92 @@
+//
+// Copyright 2022 The Sigstore Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package streams
+
+import (
+	"fmt"
+	"io"
+	"os"
+
+	"github.com/mattn/go-tty"
+)
+
+type Streams struct {
+	In  io.Reader
+	Out io.Writer
+	Err io.Writer
+
+	TTYIn  io.Reader
+	TTYOut io.Writer
+
+	close []func() error
+}
+
+func New(logPath string) *Streams {
+	s := &Streams{
+		In:  os.Stdin,
+		Out: os.Stdout,
+		Err: os.Stderr,
+	}
+
+	if logPath != "" {
+		// Since Git eats both stdout and stderr, we don't have a good way of
+		// getting error information back from clients if things go wrong.
+		// As a janky way to preserve error message, tee stderr to
+		// a temp file.
+		if f, err := os.Create(logPath); err == nil {
+			s.close = append(s.close, f.Close)
+			s.Err = io.MultiWriter(s.Err, f)
+		}
+	}
+
+	// A TTY may not be available in all environments (e.g. in CI), so only
+	// set the input/output if we can actually open it.
+	tty, err := tty.Open()
+	if err == nil {
+		s.close = append(s.close, tty.Close)
+		s.TTYIn = tty.Input()
+		s.TTYOut = tty.Output()
+	} else {
+		// If we can't connect to a TTY, fall back to stderr for output (which
+		// will also log to file if GITSIGN_LOG is set).
+		s.TTYOut = s.Err
+	}
+	return s
+}
+
+func (s *Streams) Wrap(fn func() error) error {
+	// Log any panics to ttyout, since otherwise they will be lost to os.Stderr.
+	defer func() {
+		if r := recover(); r != nil {
+			fmt.Fprintln(s.TTYOut, r)
+		}
+	}()
+
+	if err := fn(); err != nil {
+		fmt.Fprintln(s.TTYOut, err)
+		return err
+	}
+	return nil
+}
+
+func (s *Streams) Close() error {
+	for _, fn := range s.close {
+		if err := fn(); err != nil {
+			return err
+		}
+	}
+	return nil
+}