risk: Upgraded golang.org/x/crypto to v0.45.0 to address security vulnerabilities (#19)

- **risk:** Added `signature-verify` make target to verify latest release's digital signatures for the current GOOS and GOARCH combination.
- **debt:** Upgraded dependencies to their latest stable versions.
- **defect:** Fixed `README.md` instructions for verifying module checksums.
- **risk:** Upgraded `golang.org/x/crypto` to `v0.45.0` to address vulnerabilities.

Author: mprimeaux

.github/workflows/ci.yaml

@@ -61,7 +61,7 @@ jobs:
 
       # Ref: https://github.com/golangci/golangci-lint-action
       - name: Lint
-        uses: golangci/golangci-lint-action@v8
+        uses: golangci/golangci-lint-action@v9
         with:
           args: --config=.golangci.yaml --verbose
 

.gitignore

@@ -29,3 +29,4 @@ out/
 .vscode/
 
 dist/
+tmp/

CHANGELOG.md

@@ -17,6 +17,24 @@ Date format: `YYYY-MM-DD`
 ### Fixed
 ### Security
 
+---
+
+## [1.52.0] - 2025-11-20
+
+### Added
+- **risk:** Added `signature-verify` make target to verify latest release's digital signatures for the current GOOS and GOARCH combination.
+
+### Changed
+- **debt:** Upgraded dependencies to their latest stable versions.
+
+### Deprecated
+### Removed
+### Fixed
+- **defect:** Fixed `README.md` instructions for verifying module checksums.
+
+### Security
+- **risk:** Upgraded `golang.org/x/crypto` to `v0.45.0` to address vulnerabilities.
+
 ---
 ## [1.51.3] - 2025-11-07
 
@@ -365,7 +383,8 @@ Date format: `YYYY-MM-DD`
 ### Fixed
 ### Security
 
-[Unreleased]: https://github.com/sixafter/types/compare/v1.51.3...HEAD
+[Unreleased]: https://github.com/sixafter/types/compare/v1.52.0...HEAD
+[1.52.0]: https://github.com/sixafter/types/compare/v1.51.3...v1.52.0
 [1.51.3]: https://github.com/sixafter/types/compare/v1.50.0...v1.51.3
 [1.50.0]: https://github.com/sixafter/types/compare/v1.49.0...v1.50.0
 [1.49.0]: https://github.com/sixafter/types/compare/v1.48.0...v1.49.0

Makefile

@@ -92,8 +92,15 @@ vuln: ## Check for vulnerabilities
 
 .PHONY: release-verify
 release-verify: ## Verify the release
-	rm -fr dist
-	goreleaser --config .goreleaser.yaml release --snapshot
+	@scripts/verify-release.sh
+
+.PHONY: module-verify
+mod-verify: ## Verify Go module integrity
+	@scripts/verify-mod.sh
+
+.PHONY: signature-verify
+signature-verify: ## Verify latest release's digital signatures
+	@scripts/verify-sig.sh
 
 .PHONY: help
 help: ## Display this help screen

README.md

@@ -32,43 +32,42 @@ To verify the integrity of the `types` source, run the following commands:
 # Fetch the latest release tag from GitHub API (e.g., "v1.52.0")
 TAG=$(curl -s https://api.github.com/repos/sixafter/types/releases/latest | jq -r .tag_name)
 
-# Remove leading "v" for filenames (e.g., "v1.52.0" -> "1.52.0")
+# Remove the leading "v" for filenames (e.g., "v1.52.0" -> "1.52.0")
 VERSION=${TAG#v}
 
 # ---------------------------------------------------------------------
 # Verify the source archive using Sigstore bundles
 # ---------------------------------------------------------------------
 
-# Download the release tarball and its corresponding bundle
-curl -LO https://github.com/sixafter/types/releases/download/${TAG}/types-${VERSION}.tar.gz
-curl -LO https://github.com/sixafter/types/releases/download/${TAG}/types-${VERSION}.tar.gz.bundle.json
+# Download the release tarball and its signature bundle
+curl -LO "https://github.com/sixafter/types/releases/download/${TAG}/types-${VERSION}.tar.gz"
+curl -LO "https://github.com/sixafter/types/releases/download/${TAG}/types-${VERSION}.tar.gz.sigstore.json"
 
-# Verify the tarball with Cosign using your published public key
+# Verify the tarball with Cosign using the published public key
 cosign verify-blob \
-  --key https://raw.githubusercontent.com/sixafter/types/main/cosign.pub \
-  --bundle types-${VERSION}.tar.gz.bundle.json \
-  types-${VERSION}.tar.gz
+  --key "https://raw.githubusercontent.com/sixafter/types/main/cosign.pub" \
+  --bundle "types-${VERSION}.tar.gz.sigstore.json" \
+  "types-${VERSION}.tar.gz"
 
 # ---------------------------------------------------------------------
 # Verify the checksums manifest using Sigstore bundles
 # ---------------------------------------------------------------------
 
-# Download checksums.txt and its bundle
-curl -LO https://github.com/sixafter/types/releases/download/${TAG}/checksums.txt
-curl -LO https://github.com/sixafter/types/releases/download/${TAG}/checksums.txt.bundle.json
+curl -LO "https://github.com/sixafter/types/releases/download/${TAG}/checksums.txt"
+curl -LO "https://github.com/sixafter/types/releases/download/${TAG}/checksums.txt.sigstore.json"
 
-# Verify checksums.txt with Cosign using your public key
+# Verify checksums.txt with Cosign
 cosign verify-blob \
-  --key https://raw.githubusercontent.com/sixafter/types/main/cosign.pub \
-  --bundle checksums.txt.bundle.json \
-  checksums.txt
+  --key "https://raw.githubusercontent.com/sixafter/types/main/cosign.pub" \
+  --bundle "checksums.txt.sigstore.json" \
+  "checksums.txt"
 
 # ---------------------------------------------------------------------
 # Confirm local artifact integrity
 # ---------------------------------------------------------------------
 
-# Compute and validate checksums locally
-shasum -a 256 -c checksums.txt
+shasum -a 256 -c checksups.txt
+
 ```
 
 If valid, Cosign will output: