containers · rhatdan · Feb 9, 2023 · Feb 9, 2023 · mtrmac · Feb 9, 2023
diff --git a/Makefile b/Makefile
@@ -88,3 +88,6 @@ lint:
 
 vendor-in-container:
 	podman run --privileged --rm --env HOME=/root -v `pwd`:/src -w /src golang go mod tidy
+
+codespell:
+	codespell -S Makefile,build,buildah,buildah.spec,imgtype,copy,AUTHORS,bin,vendor,.git,go.sum,CHANGELOG.md,changelog.txt,seccomp.json,.cirrus.yml,"*.xz,*.gz,*.tar,*.tgz,*ico,*.png,*.1,*.5,*.orig,*.rej" -L keypair,flate,uint,iff,od,ERRO -w
diff --git a/docker/archive/writer.go b/docker/archive/writer.go
@@ -19,7 +19,7 @@ type Writer struct {
 	archive     *tarfile.Writer
 	writer      io.Closer
 
-	// The following state can only be acccessed with the mutex held.
+	// The following state can only be accessed with the mutex held.
 	mutex     sync.Mutex
 	hadCommit bool // At least one successful commit has happened
 }

diff --git a/docker/body_reader.go b/docker/body_reader.go
@@ -36,7 +36,7 @@ type bodyReader struct {
 }
 
 // newBodyReader creates a bodyReader for request path in c.
-// firstBody is an already correctly opened body for the blob, returing the full blob from the start.
+// firstBody is an already correctly opened body for the blob, returning the full blob from the start.
 // If reading from firstBody fails, bodyReader may heuristically decide to resume.
 func newBodyReader(ctx context.Context, c *dockerClient, path string, firstBody io.ReadCloser) (io.ReadCloser, error) {
 	logURL, err := c.resolveRequestURL(path)
@@ -186,7 +186,7 @@ func (br *bodyReader) Read(p []byte) (int, error) {
 			return n, fmt.Errorf("%w (after reconnecting, fetching blob: %v)", originalErr, err)
 		}
 
-		logrus.Debugf("Succesfully reconnected to %s", redactedURL)
+		logrus.Debugf("Successfully reconnected to %s", redactedURL)
 		consumedBody = true
 		br.body = res.Body
 		br.lastRetryOffset = br.offset

diff --git a/docker/docker_client.go b/docker/docker_client.go
@@ -985,7 +985,7 @@ func (c *dockerClient) getBlob(ctx context.Context, ref dockerReference, info ty
 	return reconnectingReader, blobSize, nil
 }
 
-// getOCIDescriptorContents returns the contents a blob spcified by descriptor in ref, which must fit within limit.
+// getOCIDescriptorContents returns the contents a blob specified by descriptor in ref, which must fit within limit.
 func (c *dockerClient) getOCIDescriptorContents(ctx context.Context, ref dockerReference, desc imgspecv1.Descriptor, maxSize int, cache types.BlobInfoCache) ([]byte, error) {
 	// Note that this copies all kinds of attachments: attestations, and whatever else is there,
 	// not just signatures. We leave the signature consumers to decide based on the MIME type.

diff --git a/docker/docker_image_dest.go b/docker/docker_image_dest.go
@@ -742,7 +742,7 @@ func layerMatchesSigstoreSignature(layer imgspecv1.Descriptor, mimeType string,
 }
 
 // putBlobBytesAsOCI uploads a blob with the specified contents, and returns an appropriate
-// OCI descriptior.
+// OCI descriptor.
 func (d *dockerImageDestination) putBlobBytesAsOCI(ctx context.Context, contents []byte, mimeType string, options private.PutBlobOptions) (imgspecv1.Descriptor, error) {
 	blobDigest := digest.FromBytes(contents)
 	info, err := d.PutBlobWithOptions(ctx, bytes.NewReader(contents),

diff --git a/docker/reference/reference.go b/docker/reference/reference.go
@@ -8,8 +8,8 @@
 //	domain                          := domain-component ['.' domain-component]* [':' port-number]
 //	domain-component                := /([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9-]*[a-zA-Z0-9])/
 //	port-number                     := /[0-9]+/
-//	path-component                  := alpha-numeric [separator alpha-numeric]*
-//	alpha-numeric                   := /[a-z0-9]+/
+//	path-component                  := alphanumeric [separator alphanumeric]*
+//	alphanumeric                   := /[a-z0-9]+/
 //	separator                       := /[_.]|__|[-]*/
 //
 //	tag                             := /[\w][\w.-]{0,127}/

diff --git a/docs/containers-sigstore-signing-params.yaml.5.md b/docs/containers-sigstore-signing-params.yaml.5.md
@@ -78,7 +78,7 @@ In addition, a Rekor server must be specified as well.
 ### Recording the Signature to a Rekor Transparency Server
 
 This can be combined with either a private key or Fulcio.
-It is, pratically speaking, required for Fulcio; it is optional when a static private key is used, but necessary for
+It is, practically speaking, required for Fulcio; it is optional when a static private key is used, but necessary for
 interoperability with the default configuration of `cosign`.
 
 - `rekorURL`: _URL_

diff --git a/internal/image/sourced.go b/internal/image/sourced.go
@@ -10,7 +10,7 @@ import (
 )
 
 // FromReference returns a types.ImageCloser implementation for the default instance reading from reference.
-// If reference poitns to a manifest list, .Manifest() still returns the manifest list,
+// If reference points to a manifest list, .Manifest() still returns the manifest list,
 // but other methods transparently return data from an appropriate image instance.
 //
 // The caller must call .Close() on the returned ImageCloser.

diff --git a/pkg/blobcache/src.go b/pkg/blobcache/src.go
@@ -200,7 +200,7 @@ func streamChunksFromFile(streams chan io.ReadCloser, errs chan error, file io.R
 	defer file.Close()
 
 	for _, c := range chunks {
-		// Always seek to the desired offest; that way we don’t need to care about the consumer
+		// Always seek to the desired offset; that way we don’t need to care about the consumer
 		// not reading all of the chunk, or about the position going backwards.
 		if _, err := file.Seek(int64(c.Offset), io.SeekStart); err != nil {
 			errs <- err

diff --git a/pkg/compression/compression.go b/pkg/compression/compression.go
@@ -30,7 +30,7 @@ var (
 	// Zstd compression.
 	Zstd = internal.NewAlgorithm(types.ZstdAlgorithmName, types.ZstdAlgorithmName,
 		[]byte{0x28, 0xb5, 0x2f, 0xfd}, ZstdDecompressor, zstdCompressor)
-	// ZstdChunked is a Zstd compresion with chunk metadta which allows random access to individual files.
+	// ZstdChunked is a Zstd compression with chunk metadta which allows random access to individual files.
 	ZstdChunked = internal.NewAlgorithm(types.ZstdChunkedAlgorithmName, types.ZstdAlgorithmName, /* Note: InternalUnstableUndocumentedMIMEQuestionMark is not ZstdChunkedAlgorithmName */
 		nil, ZstdDecompressor, compressor.ZstdCompressor)
 

diff --git a/signature/fulcio_cert.go b/signature/fulcio_cert.go
@@ -105,7 +105,7 @@ func (f *fulcioTrustRoot) verifyFulcioCertificateAtTime(relevantTime time.Time,
 	// log of approved Fulcio invocations, and it’s not clear where that would come from, especially human users manually
 	// logging in using OpenID are not going to maintain a record of those actions.
 	//
-	// Also, the SCT does not help reveal _what_ was maliciously signed, nor does it protect against malicous signatures
+	// Also, the SCT does not help reveal _what_ was maliciously signed, nor does it protect against malicious signatures
 	// by correctly-issued certificates.
 	//
 	// So, pragmatically, the ideal design seem to be to only do signatures from a trusted build system (which is, by definition,

diff --git a/signature/fulcio_cert_test.go b/signature/fulcio_cert_test.go
@@ -20,7 +20,7 @@ import (
 	"github.com/stretchr/testify/require"
 )
 
-// asssert that crypto.PublicKey matches the on in certPEM.
+// assert that crypto.PublicKey matches the on in certPEM.
 func assertPublicKeyMatchesCert(t *testing.T, certPEM []byte, pk crypto.PublicKey) {
 	pkInterface, ok := pk.(interface {
 		Equal(x crypto.PublicKey) bool
@@ -153,7 +153,7 @@ func TestFulcioTrustRootVerifyFulcioCertificateAtTime(t *testing.T) {
 	}{
 		{
 			// OtherName SAN element, with none of the Go-parsed SAN elements present,
-			// should not be a reason to reject the certficate entirely;
+			// should not be a reason to reject the certificate entirely;
 			// but we don’t actually support matching it, so this basically tests that the code
 			// gets far enough to do subject matching.
 			name: "OtherName in SAN",

diff --git a/signature/internal/rekor_set_test.go b/signature/internal/rekor_set_test.go
@@ -320,7 +320,7 @@ func TestVerifyRekorSET(t *testing.T) {
 		// Invalid spec.signature
 		func(v mSA) { x(v, "spec")["signature"] = nil },
 		func(v mSA) { x(v, "spec")["signature"] = 1 },
-		// A spec.signature field is mising
+		// A spec.signature field is missing
 		func(v mSA) { delete(x(v, "spec", "signature"), "content") },
 		func(v mSA) { delete(x(v, "spec", "signature"), "publicKey") },
 		// Invalid spec.signature.content

diff --git a/signature/sigstore/fulcio/fulcio.go b/signature/sigstore/fulcio/fulcio.go
@@ -100,7 +100,7 @@ func WithFulcioAndPreexistingOIDCIDToken(fulcioURL *url.URL, oidcIDToken string)
 // WithFulcioAndDeviceAuthorizationGrantOIDC sets up signing to use a short-lived key and a Fulcio-issued certificate
 // based on an OIDC ID token obtained using a device authorization grant (RFC 8628).
 //
-// interactiveOutput must be directly accesible to a human user in real time (i.e. not be just a log file).
+// interactiveOutput must be directly accessible to a human user in real time (i.e. not be just a log file).
 func WithFulcioAndDeviceAuthorizationGrantOIDC(fulcioURL *url.URL, oidcIssuerURL *url.URL, oidcClientID, oidcClientSecret string,
 	interactiveOutput io.Writer) internal.Option {
 	return func(s *internal.SigstoreSigner) error {