Spelling (#1246)

* spelling: abstractions

Signed-off-by: Josh Soref <[email protected]>

* spelling: annotations

Signed-off-by: Josh Soref <[email protected]>

* spelling: announcement

Signed-off-by: Josh Soref <[email protected]>

* spelling: attached

Signed-off-by: Josh Soref <[email protected]>

* spelling: attachment

Signed-off-by: Josh Soref <[email protected]>

* spelling: attestation

Signed-off-by: Josh Soref <[email protected]>

* spelling: cloudbuild

Signed-off-by: Josh Soref <[email protected]>

* spelling: compatibility

Signed-off-by: Josh Soref <[email protected]>

* spelling: consideration

Signed-off-by: Josh Soref <[email protected]>

* spelling: constituent

Signed-off-by: Josh Soref <[email protected]>

* spelling: dekkagaijin

Signed-off-by: Josh Soref <[email protected]>

* spelling: dependabot

Signed-off-by: Josh Soref <[email protected]>

* spelling: environment

Signed-off-by: Josh Soref <[email protected]>

* spelling: github

Signed-off-by: Josh Soref <[email protected]>

* spelling: gitlab

Signed-off-by: Josh Soref <[email protected]>

* spelling: immutable

Signed-off-by: Josh Soref <[email protected]>

* spelling: include

Signed-off-by: Josh Soref <[email protected]>

* spelling: initialized

Signed-off-by: Josh Soref <[email protected]>

* spelling: mailing

Signed-off-by: Josh Soref <[email protected]>

* spelling: payloads

Signed-off-by: Josh Soref <[email protected]>

* spelling: percent

Signed-off-by: Josh Soref <[email protected]>

* spelling: setting

Signed-off-by: Josh Soref <[email protected]>

* spelling: sigstore

Signed-off-by: Josh Soref <[email protected]>

* spelling: stored

Signed-off-by: Josh Soref <[email protected]>

* spelling: validity

Signed-off-by: Josh Soref <[email protected]>

* spelling: verified

Signed-off-by: Josh Soref <[email protected]>

* spelling: verifier

Signed-off-by: Josh Soref <[email protected]>

* spelling: without

Signed-off-by: Josh Soref <[email protected]>

Co-authored-by: Josh Soref <[email protected]>

CHANGELOG.md

@@ -46,7 +46,7 @@ A whole buncha bugfixes!
 * Added the `--signature-digest-algorithm` flag to `cosign verify`, allowing verification of container image signatures which were generated with a non-SHA256 signature algorithm (https://github.com/sigstore/cosign/pull/1071)
 * Builds should now be reproducible (https://github.com/sigstore/cosign/pull/1053)
 * Allows base64 files as `--cert` in `cosign verify-blob` (https://github.com/sigstore/cosign/pull/1088)
-* Kubernetes secrets generated for version >= 1.21 clusters have the immutible bit set (https://github.com/sigstore/cosign/pull/1091)
+* Kubernetes secrets generated for version >= 1.21 clusters have the immutable bit set (https://github.com/sigstore/cosign/pull/1091)
 * Added `cosign save` and `cosign load` commands to save and upload container images and associated signatures to disk (https://github.com/sigstore/cosign/pull/1094)
 * `cosign sign` will no longer fail to sign private images in keyless mode without `--force` (https://github.com/sigstore/cosign/pull/1116)
 * `cosign verify` now supports signatures stored in files and remote URLs with `--signature` (https://github.com/sigstore/cosign/pull/1068)
@@ -118,7 +118,7 @@ A whole buncha bugfixes!
 
 ## Enhancements
 
-* Began reworking `/pkg` around new abstrations for signing, verification, and storage (https://github.com/sigstore/cosign/issues/666)
+* Began reworking `/pkg` around new abstractions for signing, verification, and storage (https://github.com/sigstore/cosign/issues/666)
     * Notice: refactoring of `/pkg` will continue in the next minor release (1.4.0). Please leave feedback, especially if you've been experimenting with `cosign` as a library and found it lacking (https://github.com/sigstore/cosign/issues/844)
     * [GGCR-style libraries](https://github.com/google/go-containerregistry#philosophy) for interacting with images now exist under `pkg/oci` (https://github.com/sigstore/cosign/pull/770)
     * `pkg/cosign/remote.UploadSignature` API was been removed in favor of new `pkg/oci/remote` APIs (https://github.com/sigstore/cosign/pull/774)
@@ -134,7 +134,7 @@ A whole buncha bugfixes!
 * `manifest verify` now supports verifying images in all Kubernetes objects that fit within `PodSpec`, `PodSpecTemplate`, or `JobSpecTemplate`, including CRDs (https://github.com/sigstore/cosign/pull/697)
 * Added shell auto-completion support (Clutch collab from @erkanzileli, @passcod, and @Dentrax! https://github.com/sigstore/cosign/pull/836)
 * `cosign` has generated Markdown docs available in the `doc/` directory (https://github.com/sigstore/cosign/pull/839)
-* Added support for verifying with secrets from a Gitlab project (https://github.com/sigstore/cosign/pull/934)
+* Added support for verifying with secrets from a GitLab project (https://github.com/sigstore/cosign/pull/934)
 * Added a `--k8s-keychain` option that enables cosign to support ambient registry credentials based on the "k8schain" library (https://github.com/sigstore/cosign/pull/972)
 * CI (test) Images are now created for every architecture distroless ships on (currently: amd64, arm64, arm, s390x, ppc64le) (https://github.com/sigstore/cosign/pull/973)
 * `attest`: replaced `--upload` flag with a `--no-upload` flag (https://github.com/sigstore/cosign/pull/979)
@@ -392,7 +392,7 @@ A whole buncha bugfixes!
 This is the third release of `cosign`!
 
 We still expect many flags, commands, and formats to change going forward, but we're getting closer.
-No backwards compatiblity is promised or implied yet, though we are hoping to formalize this policy in the next release.
+No backwards compatibility is promised or implied yet, though we are hoping to formalize this policy in the next release.
 See [#254](https://github.com/sigstore/cosign/issues/254) for more info.
 
 ## Enhancements
@@ -412,7 +412,7 @@ See [#254](https://github.com/sigstore/cosign/issues/254) for more info.
 * Dan Lorenc
 * Priya Wadhwa
 * Ivan Font
-* Depandabot!
+* Dependabot!
 * Mark Bestavros
 * Jake Sanders
 * Carlos Tadeu Panato Junior 
@@ -422,7 +422,7 @@ See [#254](https://github.com/sigstore/cosign/issues/254) for more info.
 This is the second release of `cosign`!
 
 We still expect many flags, commands, and formats to change going forward, but we're getting closer.
-No backwards compatiblity is promised or implied.
+No backwards compatibility is promised or implied.
 
 ## Enhancements
 
@@ -464,7 +464,7 @@ This is the first release of `cosign`!
 The main goal of this release is to release something we can start using to sign other releases of [sigstore](sigstore.dev) projects, including `cosign` itself.
 
 We expect many flags, commands, and formats to change going forward.
-No backwards compatiblity is promised or implied.
+No backwards compatibility is promised or implied.
 
 ## Enhancements
 

CODEOWNERS

@@ -4,7 +4,7 @@
 
 # asraa
 # bobcallaway
-# dekakgaijin
+# dekkagaijin
 # developer-guy
 # dlorenc
 # font

KEYLESS.md

@@ -66,7 +66,7 @@ These can be supplied on the command line with the `--identity-token` flag.
 The `audiences` field must contain `sigstore`.
 
 `cosign` also has support for detecting some of these automated environments
-and producing an identity token.  Currently this supports Google and Github.
+and producing an identity token.  Currently this supports Google and GitHub.
 
 #### On GCP
 
@@ -100,7 +100,7 @@ To configure this flow:
 
 1. Create a service account to use for signatures (the email address will be present in the certificate subject).
 2. Grant the Cloud Build service account the `roles/iam.serviceAccountTokenCreator` role for this target account.
-3. Set the `GOOGLE_SERVICE_ACCOUNT_NAME` environment variable to the name of the target account in your cloudbuid.yaml
+3. Set the `GOOGLE_SERVICE_ACCOUNT_NAME` environment variable to the name of the target account in your cloudbuild.yaml
 4. Sign images in GCB, without keys!
 
 ### Timestamps
@@ -117,7 +117,7 @@ Signature timestamps are checked in the [rekor](https://github.com/sigstore/reko
 
 ## Custom Infrastructure
 
-If you're running your own sigtore services flags are available to set your own endpoint's, e.g
+If you're running your own sigstore services flags are available to set your own endpoint's, e.g
 
 ```
  COSIGN_EXPERIMENTAL=1 go run cmd/cosign/main.go sign -oidc-issuer "https://oauth2.example.com/auth" \
@@ -129,7 +129,7 @@ If you're running your own sigtore services flags are available to set your own
 
 ### Custom root Cert
 
-You can override the public good instance root CA using the enviromental variable `SIGSTORE_ROOT_FILE`, e.g.
+You can override the public good instance root CA using the environment variable `SIGSTORE_ROOT_FILE`, e.g.
 
 ```
 export SIGSTORE_ROOT_FILE="/home/jdoe/myrootCA.pem"

README.md

@@ -598,7 +598,7 @@ Timestamps could also be added here, to implement TUF-style freeze-attack preven
 
 Again, `cosign` can sign anything in a registry.
 You could use `cosign` to sign an image that is intended to be used as a base image,
-and inlcude that provenance metadata in resulting derived images.
+and include that provenance metadata in resulting derived images.
 This could be used to enforce that an image was built from an authorized base image.
 
 Rough Idea:
@@ -651,7 +651,7 @@ Note that this could be applied recursively, for multiple intermediate base imag
 
 ### Counter-Signing
 
-Cosign signatures (and their protected paylaods) are stored as artifacts in a registry.
+Cosign signatures (and their protected payloads) are stored as artifacts in a registry.
 These signature objects can also be signed, resulting in a new, "counter-signature" artifact.
 This "counter-signature" protects the signature (or set of signatures) **and** the referenced artifact, which allows
 it to act as an attestation to the **signature(s) themselves**.

cmd/cosign/cli/download.go

@@ -80,7 +80,7 @@ func downloadAttestation() *cobra.Command {
 	cmd := &cobra.Command{
 		Use:     "attestation",
 		Short:   "Download in-toto attestations from the supplied container image",
-		Example: "  cosign download attesation <image uri>",
+		Example: "  cosign download attestation <image uri>",
 		Args:    cobra.ExactArgs(1),
 		RunE: func(cmd *cobra.Command, args []string) error {
 			return download.AttestationCmd(cmd.Context(), *o, args[0])

cmd/cosign/cli/fulcio/fulcioverifier/fulcioverifier.go

@@ -58,7 +58,7 @@ func getCTPub() string {
 
 // verifySCT verifies the SCT against the Fulcio CT log public key.
 // By default this comes from TUF, but you can override this (for test)
-// purposes by using an env variable `SIGSTOE_CT_LOG_PUBLIC_KEY_FILE`. If using
+// purposes by using an env variable `SIGSTORE_CT_LOG_PUBLIC_KEY_FILE`. If using
 // an alternate, the file can be PEM, or DER format.
 //
 // The SCT is a `Signed Certificate Timestamp`, which promises that

cmd/cosign/cli/options/annotations_test.go

@@ -56,7 +56,7 @@ func TestAnnotationOptions_AnnotationsMap(t *testing.T) {
 				return
 			}
 			if diff := cmp.Diff(got, tt.want); diff != "" {
-				t.Errorf("AnnoxtationsMap() got = %v, want %v\n diff: %s", got, tt.want, diff)
+				t.Errorf("AnnotationsMap() got = %v, want %v\n diff: %s", got, tt.want, diff)
 			}
 		})
 	}

cmd/cosign/cli/sign.go

@@ -93,7 +93,7 @@ func Sign() *cobra.Command {
 				if o.Attachment == "" {
 					return errors.Wrapf(err, "signing %v", args)
 				}
-				return errors.Wrapf(err, "signing attachement %s for image %v", o.Attachment, args)
+				return errors.Wrapf(err, "signing attachment %s for image %v", o.Attachment, args)
 			}
 			return nil
 		},

cmd/cosign/cli/sign/sign.go

@@ -130,7 +130,7 @@ func SignCmd(ctx context.Context, ko KeyOpts, regOpts options.RegistryOptions, a
 		}
 	}
 
-	// Set up an ErrDone considerion to return along "success" paths
+	// Set up an ErrDone consideration to return along "success" paths
 	var ErrDone error
 	if !recursive {
 		ErrDone = mutate.ErrSkipChildren

internal/pkg/cosign/fulcio/signer.go

@@ -41,7 +41,7 @@ func (fs *signerWrapper) Sign(ctx context.Context, payload io.Reader) (oci.Signa
 		return nil, nil, err
 	}
 
-	// TODO(dekkagaijin): move the fulcio SignerVerififer logic here
+	// TODO(dekkagaijin): move the fulcio SignerVerifier logic here
 	newSig, err := mutate.Signature(sig, mutate.WithCertChain(fs.cert, fs.chain))
 	if err != nil {
 		return nil, nil, err

internal/pkg/cosign/sign.go

@@ -24,6 +24,6 @@ import (
 
 // Signer signs payloads in the form of `oci.Signature`s
 type Signer interface {
-	// Sign signs the given payload, returning the results as an `oci.Signature` which can be varified using the returned `crypto.PublicKey`.
+	// Sign signs the given payload, returning the results as an `oci.Signature` which can be verified using the returned `crypto.PublicKey`.
 	Sign(ctx context.Context, payload io.Reader) (oci.Signature, crypto.PublicKey, error)
 }

pkg/cosign/pivkey/pivkey.go

@@ -37,7 +37,7 @@ import (
 )
 
 var (
-	KeyNotInitialized error = errors.New("key not initialzied")
+	KeyNotInitialized error = errors.New("key not initialized")
 	SlotNotSet        error = errors.New("slot not set")
 )
 

pkg/cosign/pkcs11key/util.go

@@ -45,7 +45,7 @@ func percentEncode(input []byte) string {
 	return stringBuilder.String()
 }
 
-func EncodeURIComponent(uriString string, isForPath bool, usePercenttEncoding bool) (string, error) {
+func EncodeURIComponent(uriString string, isForPath bool, usePercentEncoding bool) (string, error) {
 	var stringBuilder strings.Builder
 	var allowedChars string
 
@@ -68,7 +68,7 @@ func EncodeURIComponent(uriString string, isForPath bool, usePercenttEncoding bo
 		if allowedChar {
 			stringBuilder.WriteByte(uriString[i])
 		} else {
-			if usePercenttEncoding {
+			if usePercentEncoding {
 				stringBuilder.WriteString(percentEncode([]byte{uriString[i]}))
 			} else {
 				return "", errors.New("string contains an invalid character")

pkg/cosign/tuf/policy_test.go

@@ -55,7 +55,7 @@ func TestValidKey(t *testing.T) {
 		t.Errorf("Error adding public key")
 	}
 	if _, err := root.ValidKey(publicKey, "root"); err != nil {
-		t.Errorf("Error checking key validit %s", err)
+		t.Errorf("Error checking key validity %s", err)
 	}
 	// Now change issuer, and expect error.
 	publicKey = FulcioVerificationKey("[email protected]", "")

pkg/oci/layout/write.go

@@ -79,7 +79,7 @@ func writeSignedEntity(path layout.Path, se oci.SignedEntity) error {
 	return nil
 }
 
-// isEmpty returns true if the signatures or attesations are empty
+// isEmpty returns true if the signatures or attestations are empty
 func isEmpty(s oci.Signatures) bool {
 	ss, _ := s.Get()
 	return ss == nil

pkg/oci/mutate/map.go

@@ -136,7 +136,7 @@ func Map(ctx context.Context, parent oci.SignedEntity, fn Fn) (oci.SignedEntity,
 	e := mutate.IndexMediaType(empty.Index, im.MediaType)
 	e = mutate.Annotations(e, im.Annotations).(v1.ImageIndex)
 
-	// Construct a new ImageIndex from the new consituent signed images.
+	// Construct a new ImageIndex from the new constituent signed images.
 	result := AppendManifests(e, adds...)
 
 	// Since the children changed, give the callback a crack at the new image index.

pkg/oci/remote/remote.go

@@ -156,26 +156,26 @@ func attachment(digestable digestable, attName string, o *options) (oci.File, er
 		return nil, fmt.Errorf("expected exactly one layer in attachment, got %d", len(ls))
 	}
 
-	return &attache{
+	return &attached{
 		SignedImage: img,
 		layer:       ls[0],
 	}, nil
 }
 
-type attache struct {
+type attached struct {
 	oci.SignedImage
 	layer v1.Layer
 }
 
-var _ oci.File = (*attache)(nil)
+var _ oci.File = (*attached)(nil)
 
 // FileMediaType implements oci.File
-func (f *attache) FileMediaType() (types.MediaType, error) {
+func (f *attached) FileMediaType() (types.MediaType, error) {
 	return f.layer.MediaType()
 }
 
 // Payload implements oci.File
-func (f *attache) Payload() ([]byte, error) {
+func (f *attached) Payload() ([]byte, error) {
 	// remote layers are believed to be stored
 	// compressed, but we don't compress attachments
 	// so use "Compressed" to access the raw byte

release/README.md

@@ -46,14 +46,14 @@ Where:
 - `_STORAGE_LOCATION` where to push the built artifacts. Default `cosign-releases`.
 - `_KEY_RING` key ring name of your cosign key.
 - `_KEY_NAME` key name of your  cosign key.
-- `_KEY_VERSION` version of the key storaged in KMS. Default `1`.
-- `_KEY_LOCATION` location in GCP where the key is storaged. Default `global`.
+- `_KEY_VERSION` version of the key stored in KMS. Default `1`.
+- `_KEY_LOCATION` location in GCP where the key is stored. Default `global`.
 
 
-3. When the job finish, whithout issues, you should be able to see in GitHub a draft release.
+3. When the job finish, without issues, you should be able to see in GitHub a draft release.
 You now can review the release, make any changes if needed and then publish to make it an official release.
 
-4. Send an annoucement email to `[email protected]` mailling list
+4. Send an announcement email to `[email protected]` mailing list
 
 5. Tweet about the new release with a fun new trigonometry pun!
 

specs/COSIGN_PREDICATE_SPEC.md

@@ -7,7 +7,7 @@ doesn't fit well into other types.
 The format for this is defined as follows:
 
 `data`: Raw data to place in the attestation. This is a base64-encoded string of bytes.
-`timestamp`: The timestamp the attestion was generated at in the RFC3339 format in the UTC timezone.
+`timestamp`: The timestamp the attestation was generated at in the RFC3339 format in the UTC timezone.
 
 Here is an example attestation containing a data file containing `foo`:
 

specs/SBOM_SPEC.md

@@ -91,7 +91,7 @@ In this example, the SBOM only refers to a single layer:
       "mediaType": "text/spdx",
       "size": 246,
       "digest": "sha256:ed3ad03d3b87843b5419d7dce9d50a3e0f45554b2ba93bf378611cae6b450cff",
-      "annotatons": {
+      "annotations": {
         "dev.sigstore.sbom.scope": "layer=sha256:a69d803ab2179a570eda27135989ee850de53bbd98efc8f0284f13700a94149f",
       }
     }

test/e2e_test.go

@@ -788,7 +788,7 @@ func TestAttachSBOM(t *testing.T) {
 
 func setenv(t *testing.T, k, v string) func() {
 	if err := os.Setenv(k, v); err != nil {
-		t.Fatalf("error setitng env: %v", err)
+		t.Fatalf("error setting env: %v", err)
 	}
 	return func() {
 		os.Unsetenv(k)