Lint

age/keysource_test.go

@@ -521,8 +521,9 @@ func TestMasterKey_Identities_Passphrase(t *testing.T) {
 		t.Setenv(SopsAgeKeyEnv, mockEncryptedIdentity)
 		//blocks calling gpg-agent
 		os.Unsetenv("XDG_RUNTIME_DIR")
-		t.Setenv(SopsAgePasswordEnv, mockIdentityPassphrase)
+		testOnlyAgePassword = mockIdentityPassphrase
 		got, err := key.Decrypt()
+		testOnlyAgePassword = ""
 
 		assert.NoError(t, err)
 		assert.EqualValues(t, mockEncryptedKeyPlain, got)
@@ -540,9 +541,11 @@ func TestMasterKey_Identities_Passphrase(t *testing.T) {
 		t.Setenv(SopsAgeKeyFileEnv, keyPath)
 		//blocks calling gpg-agent
 		os.Unsetenv("XDG_RUNTIME_DIR")
-		t.Setenv(SopsAgePasswordEnv, mockIdentityPassphrase)
+		testOnlyAgePassword = mockIdentityPassphrase
 
 		got, err := key.Decrypt()
+		testOnlyAgePassword = ""
+
 		assert.NoError(t, err)
 		assert.EqualValues(t, mockEncryptedKeyPlain, got)
 	})
@@ -552,9 +555,11 @@ func TestMasterKey_Identities_Passphrase(t *testing.T) {
 		t.Setenv(SopsAgeKeyEnv, mockEncryptedIdentity)
 		//blocks calling gpg-agent
 		os.Unsetenv("XDG_RUNTIME_DIR")
-		t.Setenv(SopsAgePasswordEnv, mockIdentityPassphrase)
+		testOnlyAgePassword = mockIdentityPassphrase
 
 		got, err := key.Decrypt()
+		testOnlyAgePassword = ""
+
 		assert.Error(t, err)
 		assert.ErrorContains(t, err, "failed to create reader for decrypting sops data key with age")
 		assert.Nil(t, got)

age/tui.go

@@ -22,9 +22,7 @@ import (
 	"golang.org/x/term"
 )
 
-const (
-	SopsAgePasswordEnv = "SOPS_AGE_PASSWORD"
-)
+var testOnlyAgePassword string
 
 func printf(format string, v ...interface{}) {
 	log.Printf("age: "+format, v...)
@@ -34,20 +32,6 @@ func warningf(format string, v ...interface{}) {
 	log.Printf("age: warning: "+format, v...)
 }
 
-// If testOnlyPanicInsteadOfExit is true, exit will set testOnlyDidExit and
-// panic instead of calling os.Exit. This way, the wrapper in TestMain can
-// recover the panic and return the exit code only if it was originated in exit.
-var testOnlyPanicInsteadOfExit bool
-var testOnlyDidExit bool
-
-func exit(code int) {
-	if testOnlyPanicInsteadOfExit {
-		testOnlyDidExit = true
-		panic(code)
-	}
-	os.Exit(code)
-}
-
 // clearLine clears the current line on the terminal, or opens a new line if
 // terminal escape codes don't work.
 func clearLine(out io.Writer) {
@@ -96,9 +80,8 @@ func withTerminal(f func(in, out *os.File) error) error {
 // readSecret reads a value from the terminal with no echo. The prompt is ephemeral.
 func readSecret(prompt string) (s []byte, err error) {
 	if testing.Testing() {
-		password := os.Getenv(SopsAgePasswordEnv)
-		if password != "" {
-			return []byte(password), nil
+		if testOnlyAgePassword != "" {
+			return []byte(testOnlyAgePassword), nil
 		}
 	}
 

azkv/keysource.go

@@ -79,7 +79,7 @@ func NewMasterKeyFromURL(url string) (*MasterKey, error) {
 	url = strings.TrimSpace(url)
 	re := regexp.MustCompile("^(https://[^/]+)/keys/([^/]+)/([^/]+)$")
 	parts := re.FindStringSubmatch(url)
-	if parts == nil || len(parts) < 3 {
+	if len(parts) < 3 {
 		return nil, fmt.Errorf("could not parse %q into a valid Azure Key Vault MasterKey", url)
 	}
 	return NewMasterKey(parts[1], parts[2], parts[3]), nil

cmd/sops/common/common.go

@@ -222,7 +222,7 @@ func GetKMSKeyWithEncryptionCtx(tree *sops.Tree) (keyGroupIndex int, keyIndex in
 		for n, k := range kg {
 			kmsKey, ok := k.(*kms.MasterKey)
 			if ok {
-				if kmsKey.EncryptionContext != nil && len(kmsKey.EncryptionContext) >= 2 {
+				if len(kmsKey.EncryptionContext) >= 2 {
 					duplicateValues := map[string]int{}
 					for _, v := range kmsKey.EncryptionContext {
 						duplicateValues[*v] = duplicateValues[*v] + 1

cmd/sops/main.go

@@ -2150,7 +2150,7 @@ func keyservices(c *cli.Context) (svcs []keyservice.KeyServiceClient) {
 			"address",
 			fmt.Sprintf("%s://%s", url.Scheme, addr),
 		).Infof("Connecting to key service")
-		conn, err := grpc.Dial(addr, opts...)
+		conn, err := grpc.NewClient(addr, opts...)
 		if err != nil {
 			log.Fatalf("failed to listen: %v", err)
 		}
@@ -2283,7 +2283,7 @@ func keyGroups(c *cli.Context, file string) ([]sops.KeyGroup, error) {
 			if err != nil {
 				errMsg = fmt.Sprintf("%s: %s", errMsg, err)
 			}
-			return nil, fmt.Errorf(errMsg)
+			return nil, fmt.Errorf("%s", errMsg)
 		}
 		return conf.KeyGroups, err
 	}

gcpkms/keysource_test.go

@@ -159,7 +159,7 @@ func newGRPCServer(port string) *grpc.ClientConn {
 	}
 	go serv.Serve(lis)
 
-	conn, err := grpc.Dial(lis.Addr().String(), grpc.WithTransportCredentials(insecure.NewCredentials()))
+	conn, err := grpc.NewClient(lis.Addr().String(), grpc.WithTransportCredentials(insecure.NewCredentials()))
 	if err != nil {
 		log.Fatal(err)
 	}

shamir/shamir.go

@@ -15,7 +15,6 @@ import (
 	"crypto/subtle"
 	"fmt"
 	mathrand "math/rand"
-	"time"
 )
 
 const (
@@ -190,7 +189,6 @@ func Split(secret []byte, parts, threshold int) ([][]byte, error) {
 	// a non-cryptographically secure source of randomness is used.
 	// As far as I know the x coordinates do not need to be random.
 
-	mathrand.Seed(time.Now().UnixNano())
 	xCoordinates := mathrand.Perm(255)
 
 	// Allocate the output array, initialize the final byte