Reword error messages

internal/archive/archive.go

@@ -195,27 +195,26 @@ func (index *ubuntuIndex) fetchRelease() error {
 		return err
 	}
 
-	// Decode the signature(s) and verify the InRelease file.
-	// The InRelease file may have multiple signatures from
-	// different keys. Verify that at least one signature is valid
-	// against the archive's set of public keys. Unlike ``gpg --verify``
-	// which ensures the verification of all signatures, this is in line
-	// with what apt does internally [1].
-	// [1]  https://salsa.debian.org/apt-team/apt/-/blob/4e344a4c1d2862b7cdb900a20222bc22ac5edcf7/methods/gpgv.cc#L553-557
+	// Decode the signature(s) and verify the InRelease file. The InRelease
+	// file may have multiple signatures from different keys. Verify that at
+	// least one signature is valid against the archive's set of public keys.
+	// Unlike gpg --verify which ensures the verification of all signatures,
+	// this is in line with what apt does internally:
+	// https://salsa.debian.org/apt-team/apt/-/blob/4e344a4/methods/gpgv.cc#L553-557
 	sigs, body, content, err := setup.DecodeClearSigned(data)
 	if err != nil {
-		return fmt.Errorf("corrupted archive InRelease file: invalid signature")
+		return fmt.Errorf("cannot decode clearsigned InRelease file: %v", err)
 	}
 	err = setup.VerifyAnySignature(index.archive.publicKeys, sigs, body)
 	if err != nil {
-		return fmt.Errorf("cannot verify signature in the InRelease file")
+		return fmt.Errorf("cannot verify signature of the InRelease file")
 	}
 
 	// Using ``content`` here because ``body`` has CRLF endings.
 	// TODO	figure out how to use either ``body`` or ``content``.
 	ctrl, err := control.ParseString("Label", string(content))
 	if err != nil {
-		return fmt.Errorf("parsing archive InRelease file: %v", err)
+		return fmt.Errorf("cannot parse InRelease file: %v", err)
 	}
 	section := ctrl.Section("Ubuntu")
 	if section == nil {

internal/setup/openpgp.go

@@ -60,7 +60,7 @@ func DecodePublicKey(armoredData []byte) (*packet.PublicKey, error) {
 func DecodeClearSigned(clearData []byte) (sigs []*packet.Signature, signed []byte, text []byte, err error) {
 	block, _ := clearsign.Decode(clearData)
 	if block == nil {
-		return nil, nil, nil, fmt.Errorf("invalid clearsign text")
+		return nil, nil, nil, fmt.Errorf("cannot decode clearsign text")
 	}
 	reader := packet.NewReader(block.ArmoredSignature.Body)
 	for {
@@ -69,7 +69,7 @@ func DecodeClearSigned(clearData []byte) (sigs []*packet.Signature, signed []byt
 			if err == io.EOF {
 				break
 			}
-			return nil, nil, nil, fmt.Errorf("error parsing armored data: %w", err)
+			return nil, nil, nil, fmt.Errorf("cannot parse armored data: %w", err)
 		}
 		if sig, ok := p.(*packet.Signature); ok {
 			sigs = append(sigs, sig)
@@ -81,7 +81,7 @@ func DecodeClearSigned(clearData []byte) (sigs []*packet.Signature, signed []byt
 	return sigs, block.Bytes, block.Plaintext, nil
 }
 
-// VerifySignature returns nil if sig is a valid signature made by pubKey.
+// VerifySignature returns nil if sig is a valid signature from pubKey.
 func VerifySignature(pubKey *packet.PublicKey, sig *packet.Signature, body []byte) error {
 	hash := sig.Hash.New()
 	_, err := io.Copy(hash, bytes.NewBuffer(body))

internal/setup/openpgp_test.go

@@ -93,12 +93,12 @@ var verifyClearSignTests = []verifyClearSignTest{{
 	summary:   "Invalid data: bad packets",
 	clearData: invalidSignedDataBadPackets,
 	pubKeys:   []*packet.PublicKey{testKey.PublicKey},
-	relerror:  "error parsing armored data:.*",
+	relerror:  "cannot parse armored data: openpgp: .*",
 }, {
 	summary:   "Invalid data: malformed clearsign text",
 	clearData: "foo\n",
 	pubKeys:   []*packet.PublicKey{testKey.PublicKey},
-	relerror:  "invalid clearsign text.*",
+	relerror:  "cannot decode clearsign text",
 }, {
 	summary:   "Wrong public key to verify with",
 	clearData: clearSignedData,

internal/setup/setup.go

@@ -428,10 +428,10 @@ func parseRelease(baseDir, filePath string, data []byte) (*Release, error) {
 	for keyName, yamlPubKey := range yamlVar.PublicKeys {
 		key, err := DecodePublicKey([]byte(yamlPubKey.Armor))
 		if err != nil {
-			return nil, fmt.Errorf("%s: invalid public key %q: %w", fileName, keyName, err)
+			return nil, fmt.Errorf("%s: cannot decode public key %q: %w", fileName, keyName, err)
 		}
 		if yamlPubKey.KeyID != key.KeyIdString() {
-			return nil, fmt.Errorf("%s: invalid public key %q: key-id does not match", fileName, keyName)
+			return nil, fmt.Errorf("%s: public key %q armor has incorrect ID: expected %q, got %q", fileName, keyName, yamlPubKey.KeyID, key.KeyIdString())
 		}
 		pubKeys[keyName] = key
 	}
@@ -465,7 +465,7 @@ func parseRelease(baseDir, filePath string, data []byte) (*Release, error) {
 		for _, keyName := range details.PublicKeys {
 			key, ok := pubKeys[keyName]
 			if !ok {
-				return nil, fmt.Errorf("%s: unknown reference to public key %q in archive %q", fileName, keyName, archiveName)
+				return nil, fmt.Errorf("%s: archive %q refers to undefined public key %q", fileName, archiveName, keyName)
 			}
 			archiveKeys = append(archiveKeys, key)
 		}

internal/setup/setup_test.go

@@ -963,7 +963,7 @@ var setupTests = []setupTest{{
 			package: mypkg
 		`,
 	},
-	relerror: `chisel.yaml: unknown reference to public key "extra-key" in archive "foo"`,
+	relerror: `chisel.yaml: archive "foo" refers to undefined public key "extra-key"`,
 }, {
 	summary: "Invalid public key",
 	input: map[string]string{
@@ -991,7 +991,7 @@ var setupTests = []setupTest{{
 			package: mypkg
 		`,
 	},
-	relerror: `chisel.yaml: invalid public key "extra-key": cannot decode armored data`,
+	relerror: `chisel.yaml: cannot decode public key "extra-key": cannot decode armored data`,
 }, {
 	summary: "Mismatched public key ID",
 	input: map[string]string{
@@ -1013,7 +1013,7 @@ var setupTests = []setupTest{{
 			package: mypkg
 		`,
 	},
-	relerror: `chisel.yaml: invalid public key "extra-key": key-id does not match`,
+	relerror: `chisel.yaml: public key "extra-key" armor has incorrect ID: expected "9568570379BF1F43", got "854BAF1AA9D76600"`,
 }}
 
 var defaultChiselYaml = `