Mention VSA secret keyRef in load error

[simonbaird]

User description

This should help with some knative-service debugging.

---

PR Type

Enhancement

---

Description

• Include keyRef in load private key error message

• Improves debugging for VSA secret key resolution failures

---

Diagram Walkthrough

flowchart LR
  A["Error Message"] -->|"Add keyRef parameter"| B["Enhanced Debugging Info"]
  B -->|"Shows which key failed"| C["Better VSA Troubleshooting"]

Loading

File Walkthrough

	Relevant files
Enhancement	attest.go Add keyRef to private key load error                                          internal/validate/vsa/attest.go Modified error message in NewSigner function to include keyRef parameter Changed from generic "load private key" error to include the specific key reference Improves debugging visibility when private key loading fails +1/-1

---

[qodo-code-review]

PR Compliance Guide 🔍

Below is a summary of compliance checks for this PR:

Security Compliance
⚪	Sensitive info exposure Description: The updated error message includes keyRef (fmt.Errorf("load private key %q: %w", keyRef, err)), which may leak sensitive secret identifiers (e.g., secret names/paths or key references) into logs or upstream error surfaces if this error is logged or returned to clients. attest.go [76-76] Referred Code return nil, fmt.Errorf("load private key %q: %w", keyRef, err) }
Ticket Compliance
⚪	🎫 No ticket provided Create ticket/issue
Codebase Duplication Compliance
⚪	Codebase context is not defined Follow the guide to enable codebase context checks.
Custom Compliance
🟢	Generic: Comprehensive Audit Trails Objective: To create a detailed and reliable record of critical system actions for security analysis and compliance. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Meaningful Naming and Self-Documenting Code Objective: Ensure all identifiers clearly express their purpose and intent, making code self-documenting Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Robust Error Handling and Edge Case Management Objective: Ensure comprehensive error handling that provides meaningful context and graceful degradation Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
⚪	Generic: Secure Error Handling Objective: To prevent the leakage of sensitive system information through error messages while providing sufficient detail for internal debugging. Status: Sensitive ref exposure: The error message now includes keyRef, which could expose internal secret names/paths to end-users depending on where this error is surfaced. Referred Code return nil, fmt.Errorf("load private key %q: %w", keyRef, err) } Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Logging Practices Objective: To ensure logs are useful for debugging and auditing without exposing sensitive information like PII, PHI, or cardholder data. Status: Secret ref in logs: If the returned error is logged upstream, including keyRef may leak secret identifiers or file locations into logs. Referred Code return nil, fmt.Errorf("load private key %q: %w", keyRef, err) } Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Security-First Input Validation and Data Handling Objective: Ensure all data inputs are validated, sanitized, and handled securely to prevent vulnerabilities Status: Unvalidated error detail: keyRef is interpolated into an error string without sanitization, so if it can be influenced externally it may reveal unexpected internal details. Referred Code return nil, fmt.Errorf("load private key %q: %w", keyRef, err) } Learn more about managing compliance generic rules or creating your own custom rules

Compliance status legend

🟢 - Fully Compliant
🟡 - Partial Compliant
🔴 - Not Compliant
⚪ - Requires Further Human Verification
🏷️ - Compliance label

[qodo-code-review]

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
General	Include keyRef in password error Add the keyRef to the error message for private key password resolution to improve debugging visibility. internal/validate/vsa/attest.go [69-72] password, err := utils.PasswordFromKeyRef(ctx, keyRef) if err != nil { - return nil, fmt.Errorf("resolve private key password: %w", err) + return nil, fmt.Errorf("resolve private key password %q: %w", keyRef, err) } [To ensure code accuracy, apply this suggestion manually] Suggestion importance[1-10]: 6 __ Why: This suggestion improves error message consistency by adding the keyRef, which aligns with the changes already made in the PR and enhances debuggability.	Low
More

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

Flag	Coverage Δ
acceptance	55.98% <0.00%> (ø)
generative	18.97% <100.00%> (ø)
integration	28.44% <100.00%> (ø)
unit	67.96% <100.00%> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines	Coverage Δ
internal/validate/vsa/attest.go	88.52% <100.00%> (ø)

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[simonbaird]

Trivial change, tests passing. Let's merge.