File: rename-to-square.patch

package info (click to toggle)
golang-gopkg-square-go-jose.v2 2.6.3-3
links: PTS, VCS
area: main
in suites: forky, sid, trixie
size: 1,452 kB
sloc: makefile: 3
file content (1383 lines) | stat: -rw-r--r-- 58,817 bytes
From: Reinhard Tartler <siretart@tauware.de>
Last-Updated: 2024-06-01
Description: Rename pacakge name back to old name

This is a legacy package to a branch where upstream has moved to a new github
project, and thus has renamed to import names. Upstream also strongly
encouragages software to update to its newer v4 branch. However, we have still
a number of packages in Debian that use the old names. In particular the test
suites break with a simple rename approach.

To minimize the amount of work in Debian, take the fixes from the newer 2.6.3
branch, but restore the old import name using the old 'square' github org.

This reverts commit a0568d778a639669bee1c4b5b42f363b76a7369d

Index: golang-gopkg-square-go-jose.v2/asymmetric.go
===================================================================
--- golang-gopkg-square-go-jose.v2.orig/asymmetric.go
+++ golang-gopkg-square-go-jose.v2/asymmetric.go
@@ -29,8 +29,8 @@ import (
 	"math/big"
 
 	"golang.org/x/crypto/ed25519"
-	josecipher "gopkg.in/go-jose/go-jose.v2/cipher"
-	"gopkg.in/go-jose/go-jose.v2/json"
+	josecipher "gopkg.in/square/go-jose.v2/cipher"
+	"gopkg.in/square/go-jose.v2/json"
 )
 
 // A generic RSA-based encrypter/verifier
@@ -416,28 +416,28 @@ func (ctx ecKeyGenerator) genKey() ([]by
 func (ctx ecDecrypterSigner) decryptKey(headers rawHeader, recipient *recipientInfo, generator keyGenerator) ([]byte, error) {
 	epk, err := headers.getEPK()
 	if err != nil {
-		return nil, errors.New("go-jose/go-jose: invalid epk header")
+		return nil, errors.New("square/go-jose: invalid epk header")
 	}
 	if epk == nil {
-		return nil, errors.New("go-jose/go-jose: missing epk header")
+		return nil, errors.New("square/go-jose: missing epk header")
 	}
 
 	publicKey, ok := epk.Key.(*ecdsa.PublicKey)
 	if publicKey == nil || !ok {
-		return nil, errors.New("go-jose/go-jose: invalid epk header")
+		return nil, errors.New("square/go-jose: invalid epk header")
 	}
 
 	if !ctx.privateKey.Curve.IsOnCurve(publicKey.X, publicKey.Y) {
-		return nil, errors.New("go-jose/go-jose: invalid public key in epk header")
+		return nil, errors.New("square/go-jose: invalid public key in epk header")
 	}
 
 	apuData, err := headers.getAPU()
 	if err != nil {
-		return nil, errors.New("go-jose/go-jose: invalid apu header")
+		return nil, errors.New("square/go-jose: invalid apu header")
 	}
 	apvData, err := headers.getAPV()
 	if err != nil {
-		return nil, errors.New("go-jose/go-jose: invalid apv header")
+		return nil, errors.New("square/go-jose: invalid apv header")
 	}
 
 	deriveKey := func(algID string, size int) []byte {
@@ -492,7 +492,7 @@ func (ctx edEncrypterVerifier) verifyPay
 	}
 	ok := ed25519.Verify(ctx.publicKey, payload, signature)
 	if !ok {
-		return errors.New("go-jose/go-jose: ed25519 signature failed to verify")
+		return errors.New("square/go-jose: ed25519 signature failed to verify")
 	}
 	return nil
 }
@@ -516,7 +516,7 @@ func (ctx ecDecrypterSigner) signPayload
 
 	curveBits := ctx.privateKey.Curve.Params().BitSize
 	if expectedBitSize != curveBits {
-		return Signature{}, fmt.Errorf("go-jose/go-jose: expected %d bit key, got %d bits instead", expectedBitSize, curveBits)
+		return Signature{}, fmt.Errorf("square/go-jose: expected %d bit key, got %d bits instead", expectedBitSize, curveBits)
 	}
 
 	hasher := hash.New()
@@ -574,7 +574,7 @@ func (ctx ecEncrypterVerifier) verifyPay
 	}
 
 	if len(signature) != 2*keySize {
-		return fmt.Errorf("go-jose/go-jose: invalid signature size, have %d bytes, wanted %d", len(signature), 2*keySize)
+		return fmt.Errorf("square/go-jose: invalid signature size, have %d bytes, wanted %d", len(signature), 2*keySize)
 	}
 
 	hasher := hash.New()
@@ -588,7 +588,7 @@ func (ctx ecEncrypterVerifier) verifyPay
 
 	match := ecdsa.Verify(ctx.publicKey, hashed, r, s)
 	if !match {
-		return errors.New("go-jose/go-jose: ecdsa signature failed to verify")
+		return errors.New("square/go-jose: ecdsa signature failed to verify")
 	}
 
 	return nil
Index: golang-gopkg-square-go-jose.v2/cipher/cbc_hmac.go
===================================================================
--- golang-gopkg-square-go-jose.v2.orig/cipher/cbc_hmac.go
+++ golang-gopkg-square-go-jose.v2/cipher/cbc_hmac.go
@@ -101,14 +101,14 @@ func (ctx *cbcAEAD) Seal(dst, nonce, pla
 // Open decrypts and authenticates the ciphertext.
 func (ctx *cbcAEAD) Open(dst, nonce, ciphertext, data []byte) ([]byte, error) {
 	if len(ciphertext) < ctx.authtagBytes {
-		return nil, errors.New("go-jose/go-jose: invalid ciphertext (too short)")
+		return nil, errors.New("square/go-jose: invalid ciphertext (too short)")
 	}
 
 	offset := len(ciphertext) - ctx.authtagBytes
 	expectedTag := ctx.computeAuthTag(data, nonce, ciphertext[:offset])
 	match := subtle.ConstantTimeCompare(expectedTag, ciphertext[offset:])
 	if match != 1 {
-		return nil, errors.New("go-jose/go-jose: invalid ciphertext (auth tag mismatch)")
+		return nil, errors.New("square/go-jose: invalid ciphertext (auth tag mismatch)")
 	}
 
 	cbc := cipher.NewCBCDecrypter(ctx.blockCipher, nonce)
@@ -117,7 +117,7 @@ func (ctx *cbcAEAD) Open(dst, nonce, cip
 	buffer := append([]byte{}, []byte(ciphertext[:offset])...)
 
 	if len(buffer)%ctx.blockCipher.BlockSize() > 0 {
-		return nil, errors.New("go-jose/go-jose: invalid ciphertext (invalid length)")
+		return nil, errors.New("square/go-jose: invalid ciphertext (invalid length)")
 	}
 
 	cbc.CryptBlocks(buffer, buffer)
@@ -177,19 +177,19 @@ func padBuffer(buffer []byte, blockSize
 // Remove padding
 func unpadBuffer(buffer []byte, blockSize int) ([]byte, error) {
 	if len(buffer)%blockSize != 0 {
-		return nil, errors.New("go-jose/go-jose: invalid padding")
+		return nil, errors.New("square/go-jose: invalid padding")
 	}
 
 	last := buffer[len(buffer)-1]
 	count := int(last)
 
 	if count == 0 || count > blockSize || count > len(buffer) {
-		return nil, errors.New("go-jose/go-jose: invalid padding")
+		return nil, errors.New("square/go-jose: invalid padding")
 	}
 
 	padding := bytes.Repeat([]byte{last}, count)
 	if !bytes.HasSuffix(buffer, padding) {
-		return nil, errors.New("go-jose/go-jose: invalid padding")
+		return nil, errors.New("square/go-jose: invalid padding")
 	}
 
 	return buffer[:len(buffer)-count], nil
Index: golang-gopkg-square-go-jose.v2/cipher/key_wrap.go
===================================================================
--- golang-gopkg-square-go-jose.v2.orig/cipher/key_wrap.go
+++ golang-gopkg-square-go-jose.v2/cipher/key_wrap.go
@@ -28,7 +28,7 @@ var defaultIV = []byte{0xA6, 0xA6, 0xA6,
 // KeyWrap implements NIST key wrapping; it wraps a content encryption key (cek) with the given block cipher.
 func KeyWrap(block cipher.Block, cek []byte) ([]byte, error) {
 	if len(cek)%8 != 0 {
-		return nil, errors.New("go-jose/go-jose: key wrap input must be 8 byte blocks")
+		return nil, errors.New("square/go-jose: key wrap input must be 8 byte blocks")
 	}
 
 	n := len(cek) / 8
@@ -68,7 +68,7 @@ func KeyWrap(block cipher.Block, cek []b
 // KeyUnwrap implements NIST key unwrapping; it unwraps a content encryption key (cek) with the given block cipher.
 func KeyUnwrap(block cipher.Block, ciphertext []byte) ([]byte, error) {
 	if len(ciphertext)%8 != 0 {
-		return nil, errors.New("go-jose/go-jose: key wrap input must be 8 byte blocks")
+		return nil, errors.New("square/go-jose: key wrap input must be 8 byte blocks")
 	}
 
 	n := (len(ciphertext) / 8) - 1
@@ -97,7 +97,7 @@ func KeyUnwrap(block cipher.Block, ciphe
 	}
 
 	if subtle.ConstantTimeCompare(buffer[:8], defaultIV) == 0 {
-		return nil, errors.New("go-jose/go-jose: failed to unwrap key")
+		return nil, errors.New("square/go-jose: failed to unwrap key")
 	}
 
 	out := make([]byte, n*8)
Index: golang-gopkg-square-go-jose.v2/crypter.go
===================================================================
--- golang-gopkg-square-go-jose.v2.orig/crypter.go
+++ golang-gopkg-square-go-jose.v2/crypter.go
@@ -23,7 +23,7 @@ import (
 	"fmt"
 	"reflect"
 
-	"gopkg.in/go-jose/go-jose.v2/json"
+	"gopkg.in/square/go-jose.v2/json"
 )
 
 // Encrypter represents an encrypter which produces an encrypted JWE object.
@@ -202,7 +202,7 @@ func NewMultiEncrypter(enc ContentEncryp
 		return nil, ErrUnsupportedAlgorithm
 	}
 	if rcpts == nil || len(rcpts) == 0 {
-		return nil, fmt.Errorf("go-jose/go-jose: recipients is nil or empty")
+		return nil, fmt.Errorf("square/go-jose: recipients is nil or empty")
 	}
 
 	encrypter := &genericEncrypter{
@@ -234,7 +234,7 @@ func (ctx *genericEncrypter) addRecipien
 
 	switch recipient.Algorithm {
 	case DIRECT, ECDH_ES:
-		return fmt.Errorf("go-jose/go-jose: key algorithm '%s' not supported in multi-recipient mode", recipient.Algorithm)
+		return fmt.Errorf("square/go-jose: key algorithm '%s' not supported in multi-recipient mode", recipient.Algorithm)
 	}
 
 	recipientInfo, err = makeJWERecipient(recipient.Algorithm, recipient.Key)
@@ -326,7 +326,7 @@ func (ctx *genericEncrypter) EncryptWith
 	obj.recipients = make([]recipientInfo, len(ctx.recipients))
 
 	if len(ctx.recipients) == 0 {
-		return nil, fmt.Errorf("go-jose/go-jose: no recipients to encrypt to")
+		return nil, fmt.Errorf("square/go-jose: no recipients to encrypt to")
 	}
 
 	cek, headers, err := ctx.keyGenerator.genKey()
@@ -413,16 +413,16 @@ func (obj JSONWebEncryption) Decrypt(dec
 	headers := obj.mergedHeaders(nil)
 
 	if len(obj.recipients) > 1 {
-		return nil, errors.New("go-jose/go-jose: too many recipients in payload; expecting only one")
+		return nil, errors.New("square/go-jose: too many recipients in payload; expecting only one")
 	}
 
 	critical, err := headers.getCritical()
 	if err != nil {
-		return nil, fmt.Errorf("go-jose/go-jose: invalid crit header")
+		return nil, fmt.Errorf("square/go-jose: invalid crit header")
 	}
 
 	if len(critical) > 0 {
-		return nil, fmt.Errorf("go-jose/go-jose: unsupported crit header")
+		return nil, fmt.Errorf("square/go-jose: unsupported crit header")
 	}
 
 	decrypter, err := newDecrypter(decryptionKey)
@@ -432,7 +432,7 @@ func (obj JSONWebEncryption) Decrypt(dec
 
 	cipher := getContentCipher(headers.getEncryption())
 	if cipher == nil {
-		return nil, fmt.Errorf("go-jose/go-jose: unsupported enc value '%s'", string(headers.getEncryption()))
+		return nil, fmt.Errorf("square/go-jose: unsupported enc value '%s'", string(headers.getEncryption()))
 	}
 
 	generator := randomKeyGenerator{
@@ -481,11 +481,11 @@ func (obj JSONWebEncryption) DecryptMult
 
 	critical, err := globalHeaders.getCritical()
 	if err != nil {
-		return -1, Header{}, nil, fmt.Errorf("go-jose/go-jose: invalid crit header")
+		return -1, Header{}, nil, fmt.Errorf("square/go-jose: invalid crit header")
 	}
 
 	if len(critical) > 0 {
-		return -1, Header{}, nil, fmt.Errorf("go-jose/go-jose: unsupported crit header")
+		return -1, Header{}, nil, fmt.Errorf("square/go-jose: unsupported crit header")
 	}
 
 	decrypter, err := newDecrypter(decryptionKey)
@@ -496,7 +496,7 @@ func (obj JSONWebEncryption) DecryptMult
 	encryption := globalHeaders.getEncryption()
 	cipher := getContentCipher(encryption)
 	if cipher == nil {
-		return -1, Header{}, nil, fmt.Errorf("go-jose/go-jose: unsupported enc value '%s'", string(encryption))
+		return -1, Header{}, nil, fmt.Errorf("square/go-jose: unsupported enc value '%s'", string(encryption))
 	}
 
 	generator := randomKeyGenerator{
@@ -541,7 +541,7 @@ func (obj JSONWebEncryption) DecryptMult
 
 	sanitized, err := headers.sanitized()
 	if err != nil {
-		return -1, Header{}, nil, fmt.Errorf("go-jose/go-jose: failed to sanitize header: %v", err)
+		return -1, Header{}, nil, fmt.Errorf("square/go-jose: failed to sanitize header: %v", err)
 	}
 
 	return index, sanitized, plaintext, err
Index: golang-gopkg-square-go-jose.v2/cryptosigner/cryptosigner.go
===================================================================
--- golang-gopkg-square-go-jose.v2.orig/cryptosigner/cryptosigner.go
+++ golang-gopkg-square-go-jose.v2/cryptosigner/cryptosigner.go
@@ -29,7 +29,7 @@ import (
 	"math/big"
 
 	"golang.org/x/crypto/ed25519"
-	"gopkg.in/go-jose/go-jose.v2"
+	"gopkg.in/square/go-jose.v2"
 )
 
 // Opaque creates an OpaqueSigner from a "crypto".Signer
Index: golang-gopkg-square-go-jose.v2/cryptosigner/cryptosigner_test.go
===================================================================
--- golang-gopkg-square-go-jose.v2.orig/cryptosigner/cryptosigner_test.go
+++ golang-gopkg-square-go-jose.v2/cryptosigner/cryptosigner_test.go
@@ -27,7 +27,7 @@ import (
 	"testing"
 
 	"golang.org/x/crypto/ed25519"
-	"gopkg.in/go-jose/go-jose.v2"
+	"gopkg.in/square/go-jose.v2"
 )
 
 func TestRoundtripsJWSCryptoSigner(t *testing.T) {
Index: golang-gopkg-square-go-jose.v2/encoding.go
===================================================================
--- golang-gopkg-square-go-jose.v2.orig/encoding.go
+++ golang-gopkg-square-go-jose.v2/encoding.go
@@ -27,7 +27,7 @@ import (
 	"strings"
 	"unicode"
 
-	"gopkg.in/go-jose/go-jose.v2/json"
+	"gopkg.in/square/go-jose.v2/json"
 )
 
 // Helper function to serialize known-good objects.
@@ -42,7 +42,7 @@ func mustSerializeJSON(value interface{}
 	// MarshalJSON will happily serialize it as the top-level value "null". If
 	// that value is then embedded in another operation, for instance by being
 	// base64-encoded and fed as input to a signing algorithm
-	// (https://github.com/go-jose/go-jose/issues/22), the result will be
+	// (https://github.com/square/go-jose/issues/22), the result will be
 	// incorrect. Because this method is intended for known-good objects, and a nil
 	// pointer is not a known-good object, we are free to panic in this case.
 	// Note: It's not possible to directly check whether the data pointed at by an
@@ -140,7 +140,7 @@ func newBuffer(data []byte) *byteBuffer
 
 func newFixedSizeBuffer(data []byte, length int) *byteBuffer {
 	if len(data) > length {
-		panic("go-jose/go-jose: invalid call to newFixedSizeBuffer (len(data) > length)")
+		panic("square/go-jose: invalid call to newFixedSizeBuffer (len(data) > length)")
 	}
 	pad := make([]byte, length-len(data))
 	return newBuffer(append(pad, data...))
Index: golang-gopkg-square-go-jose.v2/jose-util/main.go
===================================================================
--- golang-gopkg-square-go-jose.v2.orig/jose-util/main.go
+++ golang-gopkg-square-go-jose.v2/jose-util/main.go
@@ -22,7 +22,7 @@ import (
 	"os"
 
 	"gopkg.in/alecthomas/kingpin.v2"
-	"gopkg.in/go-jose/go-jose.v2"
+	"gopkg.in/square/go-jose.v2"
 )
 
 var (
Index: golang-gopkg-square-go-jose.v2/jose-util/utils.go
===================================================================
--- golang-gopkg-square-go-jose.v2.orig/jose-util/utils.go
+++ golang-gopkg-square-go-jose.v2/jose-util/utils.go
@@ -21,7 +21,7 @@ import (
 	"encoding/pem"
 	"errors"
 	"fmt"
-	"gopkg.in/go-jose/go-jose.v2"
+	"gopkg.in/square/go-jose.v2"
 )
 
 func LoadJSONWebKey(json []byte, pub bool) (*jose.JSONWebKey, error) {
@@ -64,7 +64,7 @@ func LoadPublicKey(data []byte) (interfa
 		return jwk, nil
 	}
 
-	return nil, fmt.Errorf("go-jose/go-jose: parse error, got '%s', '%s' and '%s'", err0, err1, err2)
+	return nil, fmt.Errorf("square/go-jose: parse error, got '%s', '%s' and '%s'", err0, err1, err2)
 }
 
 // LoadPrivateKey loads a private key from PEM/DER/JWK-encoded data.
@@ -97,5 +97,5 @@ func LoadPrivateKey(data []byte) (interf
 		return jwk, nil
 	}
 
-	return nil, fmt.Errorf("go-jose/go-jose: parse error, got '%s', '%s', '%s' and '%s'", err0, err1, err2, err3)
+	return nil, fmt.Errorf("square/go-jose: parse error, got '%s', '%s', '%s' and '%s'", err0, err1, err2, err3)
 }
Index: golang-gopkg-square-go-jose.v2/jwe.go
===================================================================
--- golang-gopkg-square-go-jose.v2.orig/jwe.go
+++ golang-gopkg-square-go-jose.v2/jwe.go
@@ -21,7 +21,7 @@ import (
 	"fmt"
 	"strings"
 
-	"gopkg.in/go-jose/go-jose.v2/json"
+	"gopkg.in/square/go-jose.v2/json"
 )
 
 // rawJSONWebEncryption represents a raw JWE JSON object. Used for parsing/serializing.
@@ -146,7 +146,7 @@ func (parsed *rawJSONWebEncryption) sani
 	if parsed.Protected != nil && len(parsed.Protected.bytes()) > 0 {
 		err := json.Unmarshal(parsed.Protected.bytes(), &obj.protected)
 		if err != nil {
-			return nil, fmt.Errorf("go-jose/go-jose: invalid protected header: %s, %s", err, parsed.Protected.base64())
+			return nil, fmt.Errorf("square/go-jose: invalid protected header: %s, %s", err, parsed.Protected.base64())
 		}
 	}
 
@@ -156,7 +156,7 @@ func (parsed *rawJSONWebEncryption) sani
 	mergedHeaders := obj.mergedHeaders(nil)
 	obj.Header, err = mergedHeaders.sanitized()
 	if err != nil {
-		return nil, fmt.Errorf("go-jose/go-jose: cannot sanitize merged headers: %v (%v)", err, mergedHeaders)
+		return nil, fmt.Errorf("square/go-jose: cannot sanitize merged headers: %v (%v)", err, mergedHeaders)
 	}
 
 	if len(parsed.Recipients) == 0 {
@@ -187,7 +187,7 @@ func (parsed *rawJSONWebEncryption) sani
 	for _, recipient := range obj.recipients {
 		headers := obj.mergedHeaders(&recipient)
 		if headers.getAlgorithm() == "" || headers.getEncryption() == "" {
-			return nil, fmt.Errorf("go-jose/go-jose: message is missing alg/enc headers")
+			return nil, fmt.Errorf("square/go-jose: message is missing alg/enc headers")
 		}
 	}
 
@@ -203,7 +203,7 @@ func (parsed *rawJSONWebEncryption) sani
 func parseEncryptedCompact(input string) (*JSONWebEncryption, error) {
 	parts := strings.Split(input, ".")
 	if len(parts) != 5 {
-		return nil, fmt.Errorf("go-jose/go-jose: compact JWE format must have five parts")
+		return nil, fmt.Errorf("square/go-jose: compact JWE format must have five parts")
 	}
 
 	rawProtected, err := base64.RawURLEncoding.DecodeString(parts[0])
Index: golang-gopkg-square-go-jose.v2/jwe_test.go
===================================================================
--- golang-gopkg-square-go-jose.v2.orig/jwe_test.go
+++ golang-gopkg-square-go-jose.v2/jwe_test.go
@@ -173,7 +173,7 @@ func TestRejectUnprotectedJWENonce(t *te
 	_, err := ParseEncrypted(input)
 	if err == nil {
 		t.Error("JWE with an unprotected nonce parsed as valid.")
-	} else if err.Error() != "go-jose/go-jose: Nonce parameter included in unprotected header" {
+	} else if err.Error() != "square/go-jose: Nonce parameter included in unprotected header" {
 		t.Errorf("Improper error for unprotected nonce: %v", err)
 	}
 
@@ -191,7 +191,7 @@ func TestRejectUnprotectedJWENonce(t *te
 	_, err = ParseEncrypted(input)
 	if err == nil {
 		t.Error("JWE with an unprotected nonce parsed as valid.")
-	} else if err.Error() != "go-jose/go-jose: Nonce parameter included in unprotected header" {
+	} else if err.Error() != "square/go-jose: Nonce parameter included in unprotected header" {
 		t.Errorf("Improper error for unprotected nonce: %v", err)
 	}
 
@@ -210,7 +210,7 @@ func TestRejectUnprotectedJWENonce(t *te
 	_, err = ParseEncrypted(input)
 	if err == nil {
 		t.Error("JWS with an unprotected nonce parsed as valid.")
-	} else if err.Error() != "go-jose/go-jose: Nonce parameter included in unprotected header" {
+	} else if err.Error() != "square/go-jose: Nonce parameter included in unprotected header" {
 		t.Errorf("Improper error for unprotected nonce: %v", err)
 	}
 }
Index: golang-gopkg-square-go-jose.v2/jwk-keygen/main.go
===================================================================
--- golang-gopkg-square-go-jose.v2.orig/jwk-keygen/main.go
+++ golang-gopkg-square-go-jose.v2/jwk-keygen/main.go
@@ -31,7 +31,7 @@ import (
 	"golang.org/x/crypto/ed25519"
 
 	"gopkg.in/alecthomas/kingpin.v2"
-	"gopkg.in/go-jose/go-jose.v2"
+	"gopkg.in/square/go-jose.v2"
 )
 
 var (
Index: golang-gopkg-square-go-jose.v2/jwk.go
===================================================================
--- golang-gopkg-square-go-jose.v2.orig/jwk.go
+++ golang-gopkg-square-go-jose.v2/jwk.go
@@ -36,7 +36,7 @@ import (
 
 	"golang.org/x/crypto/ed25519"
 
-	"gopkg.in/go-jose/go-jose.v2/json"
+	"gopkg.in/square/go-jose.v2/json"
 )
 
 // rawJSONWebKey represents a public or private key in JWK format, used for parsing/serializing.
@@ -110,7 +110,7 @@ func (k JSONWebKey) MarshalJSON() ([]byt
 	case []byte:
 		raw, err = fromSymmetricKey(key)
 	default:
-		return nil, fmt.Errorf("go-jose/go-jose: unknown key type '%s'", reflect.TypeOf(key))
+		return nil, fmt.Errorf("square/go-jose: unknown key type '%s'", reflect.TypeOf(key))
 	}
 
 	if err != nil {
@@ -129,13 +129,13 @@ func (k JSONWebKey) MarshalJSON() ([]byt
 	x5tSHA256Len := len(k.CertificateThumbprintSHA256)
 	if x5tSHA1Len > 0 {
 		if x5tSHA1Len != sha1.Size {
-			return nil, fmt.Errorf("go-jose/go-jose: invalid SHA-1 thumbprint (must be %d bytes, not %d)", sha1.Size, x5tSHA1Len)
+			return nil, fmt.Errorf("square/go-jose: invalid SHA-1 thumbprint (must be %d bytes, not %d)", sha1.Size, x5tSHA1Len)
 		}
 		raw.X5tSHA1 = base64.RawURLEncoding.EncodeToString(k.CertificateThumbprintSHA1)
 	}
 	if x5tSHA256Len > 0 {
 		if x5tSHA256Len != sha256.Size {
-			return nil, fmt.Errorf("go-jose/go-jose: invalid SHA-256 thumbprint (must be %d bytes, not %d)", sha256.Size, x5tSHA256Len)
+			return nil, fmt.Errorf("square/go-jose: invalid SHA-256 thumbprint (must be %d bytes, not %d)", sha256.Size, x5tSHA256Len)
 		}
 		raw.X5tSHA256 = base64.RawURLEncoding.EncodeToString(k.CertificateThumbprintSHA256)
 	}
@@ -149,10 +149,10 @@ func (k JSONWebKey) MarshalJSON() ([]byt
 		expectedSHA256 := sha256.Sum256(k.Certificates[0].Raw)
 
 		if len(k.CertificateThumbprintSHA1) > 0 && !bytes.Equal(k.CertificateThumbprintSHA1, expectedSHA1[:]) {
-			return nil, errors.New("go-jose/go-jose: invalid SHA-1 thumbprint, does not match cert chain")
+			return nil, errors.New("square/go-jose: invalid SHA-1 thumbprint, does not match cert chain")
 		}
 		if len(k.CertificateThumbprintSHA256) > 0 && !bytes.Equal(k.CertificateThumbprintSHA256, expectedSHA256[:]) {
-			return nil, errors.New("go-jose/go-jose: invalid or SHA-256 thumbprint, does not match cert chain")
+			return nil, errors.New("square/go-jose: invalid or SHA-256 thumbprint, does not match cert chain")
 		}
 	}
 
@@ -171,7 +171,7 @@ func (k *JSONWebKey) UnmarshalJSON(data
 
 	certs, err := parseCertificateChain(raw.X5c)
 	if err != nil {
-		return fmt.Errorf("go-jose/go-jose: failed to unmarshal x5c field: %s", err)
+		return fmt.Errorf("square/go-jose: failed to unmarshal x5c field: %s", err)
 	}
 
 	var key interface{}
@@ -211,7 +211,7 @@ func (k *JSONWebKey) UnmarshalJSON(data
 		}
 	case "oct":
 		if certPub != nil {
-			return errors.New("go-jose/go-jose: invalid JWK, found 'oct' (symmetric) key with cert chain")
+			return errors.New("square/go-jose: invalid JWK, found 'oct' (symmetric) key with cert chain")
 		}
 		key, err = raw.symmetricKey()
 	case "OKP":
@@ -226,10 +226,10 @@ func (k *JSONWebKey) UnmarshalJSON(data
 				keyPub = key
 			}
 		} else {
-			err = fmt.Errorf("go-jose/go-jose: unknown curve %s'", raw.Crv)
+			err = fmt.Errorf("square/go-jose: unknown curve %s'", raw.Crv)
 		}
 	default:
-		err = fmt.Errorf("go-jose/go-jose: unknown json web key type '%s'", raw.Kty)
+		err = fmt.Errorf("square/go-jose: unknown json web key type '%s'", raw.Kty)
 	}
 
 	if err != nil {
@@ -238,7 +238,7 @@ func (k *JSONWebKey) UnmarshalJSON(data
 
 	if certPub != nil && keyPub != nil {
 		if !reflect.DeepEqual(certPub, keyPub) {
-			return errors.New("go-jose/go-jose: invalid JWK, public keys in key and x5c fields to not match")
+			return errors.New("square/go-jose: invalid JWK, public keys in key and x5c fields to not match")
 		}
 	}
 
@@ -250,7 +250,7 @@ func (k *JSONWebKey) UnmarshalJSON(data
 	// See RFC 7517, Section 4.8, https://tools.ietf.org/html/rfc7517#section-4.8
 	x5tSHA1bytes, err := base64.RawURLEncoding.DecodeString(raw.X5tSHA1)
 	if err != nil {
-		return errors.New("go-jose/go-jose: invalid JWK, x5t header has invalid encoding")
+		return errors.New("square/go-jose: invalid JWK, x5t header has invalid encoding")
 	}
 
 	// RFC 7517, Section 4.8 is ambiguous as to whether the digest output should be byte or hex,
@@ -260,7 +260,7 @@ func (k *JSONWebKey) UnmarshalJSON(data
 	if len(x5tSHA1bytes) == 2*sha1.Size {
 		hx, err := hex.DecodeString(string(x5tSHA1bytes))
 		if err != nil {
-			return fmt.Errorf("go-jose/go-jose: invalid JWK, unable to hex decode x5t: %v", err)
+			return fmt.Errorf("square/go-jose: invalid JWK, unable to hex decode x5t: %v", err)
 
 		}
 		x5tSHA1bytes = hx
@@ -270,13 +270,13 @@ func (k *JSONWebKey) UnmarshalJSON(data
 
 	x5tSHA256bytes, err := base64.RawURLEncoding.DecodeString(raw.X5tSHA256)
 	if err != nil {
-		return errors.New("go-jose/go-jose: invalid JWK, x5t#S256 header has invalid encoding")
+		return errors.New("square/go-jose: invalid JWK, x5t#S256 header has invalid encoding")
 	}
 
 	if len(x5tSHA256bytes) == 2*sha256.Size {
 		hx256, err := hex.DecodeString(string(x5tSHA256bytes))
 		if err != nil {
-			return fmt.Errorf("go-jose/go-jose: invalid JWK, unable to hex decode x5t#S256: %v", err)
+			return fmt.Errorf("square/go-jose: invalid JWK, unable to hex decode x5t#S256: %v", err)
 		}
 		x5tSHA256bytes = hx256
 	}
@@ -286,10 +286,10 @@ func (k *JSONWebKey) UnmarshalJSON(data
 	x5tSHA1Len := len(k.CertificateThumbprintSHA1)
 	x5tSHA256Len := len(k.CertificateThumbprintSHA256)
 	if x5tSHA1Len > 0 && x5tSHA1Len != sha1.Size {
-		return errors.New("go-jose/go-jose: invalid JWK, x5t header is of incorrect size")
+		return errors.New("square/go-jose: invalid JWK, x5t header is of incorrect size")
 	}
 	if x5tSHA256Len > 0 && x5tSHA256Len != sha256.Size {
-		return errors.New("go-jose/go-jose: invalid JWK, x5t#S256 header is of incorrect size")
+		return errors.New("square/go-jose: invalid JWK, x5t#S256 header is of incorrect size")
 	}
 
 	// If certificate chain *and* thumbprints are set, verify correctness.
@@ -299,11 +299,11 @@ func (k *JSONWebKey) UnmarshalJSON(data
 		sha256sum := sha256.Sum256(leaf.Raw)
 
 		if len(k.CertificateThumbprintSHA1) > 0 && !bytes.Equal(sha1sum[:], k.CertificateThumbprintSHA1) {
-			return errors.New("go-jose/go-jose: invalid JWK, x5c thumbprint does not match x5t value")
+			return errors.New("square/go-jose: invalid JWK, x5c thumbprint does not match x5t value")
 		}
 
 		if len(k.CertificateThumbprintSHA256) > 0 && !bytes.Equal(sha256sum[:], k.CertificateThumbprintSHA256) {
-			return errors.New("go-jose/go-jose: invalid JWK, x5c thumbprint does not match x5t#S256 value")
+			return errors.New("square/go-jose: invalid JWK, x5c thumbprint does not match x5t#S256 value")
 		}
 	}
 
@@ -342,7 +342,7 @@ func ecThumbprintInput(curve elliptic.Cu
 	}
 
 	if len(x.Bytes()) > coordLength || len(y.Bytes()) > coordLength {
-		return "", errors.New("go-jose/go-jose: invalid elliptic key (too large)")
+		return "", errors.New("square/go-jose: invalid elliptic key (too large)")
 	}
 
 	return fmt.Sprintf(ecThumbprintTemplate, crv,
@@ -359,7 +359,7 @@ func rsaThumbprintInput(n *big.Int, e in
 func edThumbprintInput(ed ed25519.PublicKey) (string, error) {
 	crv := "Ed25519"
 	if len(ed) > 32 {
-		return "", errors.New("go-jose/go-jose: invalid elliptic key (too large)")
+		return "", errors.New("square/go-jose: invalid elliptic key (too large)")
 	}
 	return fmt.Sprintf(edThumbprintTemplate, crv,
 		newFixedSizeBuffer(ed, 32).base64()), nil
@@ -384,7 +384,7 @@ func (k *JSONWebKey) Thumbprint(hash cry
 	case ed25519.PrivateKey:
 		input, err = edThumbprintInput(ed25519.PublicKey(key[32:]))
 	default:
-		return nil, fmt.Errorf("go-jose/go-jose: unknown key type '%s'", reflect.TypeOf(key))
+		return nil, fmt.Errorf("square/go-jose: unknown key type '%s'", reflect.TypeOf(key))
 	}
 
 	if err != nil {
@@ -463,7 +463,7 @@ func (k *JSONWebKey) Valid() bool {
 
 func (key rawJSONWebKey) rsaPublicKey() (*rsa.PublicKey, error) {
 	if key.N == nil || key.E == nil {
-		return nil, fmt.Errorf("go-jose/go-jose: invalid RSA key, missing n/e values")
+		return nil, fmt.Errorf("square/go-jose: invalid RSA key, missing n/e values")
 	}
 
 	return &rsa.PublicKey{
@@ -498,29 +498,29 @@ func (key rawJSONWebKey) ecPublicKey() (
 	case "P-521":
 		curve = elliptic.P521()
 	default:
-		return nil, fmt.Errorf("go-jose/go-jose: unsupported elliptic curve '%s'", key.Crv)
+		return nil, fmt.Errorf("square/go-jose: unsupported elliptic curve '%s'", key.Crv)
 	}
 
 	if key.X == nil || key.Y == nil {
-		return nil, errors.New("go-jose/go-jose: invalid EC key, missing x/y values")
+		return nil, errors.New("square/go-jose: invalid EC key, missing x/y values")
 	}
 
 	// The length of this octet string MUST be the full size of a coordinate for
 	// the curve specified in the "crv" parameter.
 	// https://tools.ietf.org/html/rfc7518#section-6.2.1.2
 	if curveSize(curve) != len(key.X.data) {
-		return nil, fmt.Errorf("go-jose/go-jose: invalid EC public key, wrong length for x")
+		return nil, fmt.Errorf("square/go-jose: invalid EC public key, wrong length for x")
 	}
 
 	if curveSize(curve) != len(key.Y.data) {
-		return nil, fmt.Errorf("go-jose/go-jose: invalid EC public key, wrong length for y")
+		return nil, fmt.Errorf("square/go-jose: invalid EC public key, wrong length for y")
 	}
 
 	x := key.X.bigInt()
 	y := key.Y.bigInt()
 
 	if !curve.IsOnCurve(x, y) {
-		return nil, errors.New("go-jose/go-jose: invalid EC key, X/Y are not on declared curve")
+		return nil, errors.New("square/go-jose: invalid EC key, X/Y are not on declared curve")
 	}
 
 	return &ecdsa.PublicKey{
@@ -532,7 +532,7 @@ func (key rawJSONWebKey) ecPublicKey() (
 
 func fromEcPublicKey(pub *ecdsa.PublicKey) (*rawJSONWebKey, error) {
 	if pub == nil || pub.X == nil || pub.Y == nil {
-		return nil, fmt.Errorf("go-jose/go-jose: invalid EC key (nil, or X/Y missing)")
+		return nil, fmt.Errorf("square/go-jose: invalid EC key (nil, or X/Y missing)")
 	}
 
 	name, err := curveName(pub.Curve)
@@ -546,7 +546,7 @@ func fromEcPublicKey(pub *ecdsa.PublicKe
 	yBytes := pub.Y.Bytes()
 
 	if len(xBytes) > size || len(yBytes) > size {
-		return nil, fmt.Errorf("go-jose/go-jose: invalid EC key (X/Y too large)")
+		return nil, fmt.Errorf("square/go-jose: invalid EC key (X/Y too large)")
 	}
 
 	key := &rawJSONWebKey{
@@ -569,7 +569,7 @@ func (key rawJSONWebKey) edPrivateKey()
 	}
 
 	if len(missing) > 0 {
-		return nil, fmt.Errorf("go-jose/go-jose: invalid Ed25519 private key, missing %s value(s)", strings.Join(missing, ", "))
+		return nil, fmt.Errorf("square/go-jose: invalid Ed25519 private key, missing %s value(s)", strings.Join(missing, ", "))
 	}
 
 	privateKey := make([]byte, ed25519.PrivateKeySize)
@@ -581,7 +581,7 @@ func (key rawJSONWebKey) edPrivateKey()
 
 func (key rawJSONWebKey) edPublicKey() (ed25519.PublicKey, error) {
 	if key.X == nil {
-		return nil, fmt.Errorf("go-jose/go-jose: invalid Ed key, missing x value")
+		return nil, fmt.Errorf("square/go-jose: invalid Ed key, missing x value")
 	}
 	publicKey := make([]byte, ed25519.PublicKeySize)
 	copy(publicKey[0:32], key.X.bytes())
@@ -605,7 +605,7 @@ func (key rawJSONWebKey) rsaPrivateKey()
 	}
 
 	if len(missing) > 0 {
-		return nil, fmt.Errorf("go-jose/go-jose: invalid RSA private key, missing %s value(s)", strings.Join(missing, ", "))
+		return nil, fmt.Errorf("square/go-jose: invalid RSA private key, missing %s value(s)", strings.Join(missing, ", "))
 	}
 
 	rv := &rsa.PrivateKey{
@@ -675,34 +675,34 @@ func (key rawJSONWebKey) ecPrivateKey()
 	case "P-521":
 		curve = elliptic.P521()
 	default:
-		return nil, fmt.Errorf("go-jose/go-jose: unsupported elliptic curve '%s'", key.Crv)
+		return nil, fmt.Errorf("square/go-jose: unsupported elliptic curve '%s'", key.Crv)
 	}
 
 	if key.X == nil || key.Y == nil || key.D == nil {
-		return nil, fmt.Errorf("go-jose/go-jose: invalid EC private key, missing x/y/d values")
+		return nil, fmt.Errorf("square/go-jose: invalid EC private key, missing x/y/d values")
 	}
 
 	// The length of this octet string MUST be the full size of a coordinate for
 	// the curve specified in the "crv" parameter.
 	// https://tools.ietf.org/html/rfc7518#section-6.2.1.2
 	if curveSize(curve) != len(key.X.data) {
-		return nil, fmt.Errorf("go-jose/go-jose: invalid EC private key, wrong length for x")
+		return nil, fmt.Errorf("square/go-jose: invalid EC private key, wrong length for x")
 	}
 
 	if curveSize(curve) != len(key.Y.data) {
-		return nil, fmt.Errorf("go-jose/go-jose: invalid EC private key, wrong length for y")
+		return nil, fmt.Errorf("square/go-jose: invalid EC private key, wrong length for y")
 	}
 
 	// https://tools.ietf.org/html/rfc7518#section-6.2.2.1
 	if dSize(curve) != len(key.D.data) {
-		return nil, fmt.Errorf("go-jose/go-jose: invalid EC private key, wrong length for d")
+		return nil, fmt.Errorf("square/go-jose: invalid EC private key, wrong length for d")
 	}
 
 	x := key.X.bigInt()
 	y := key.Y.bigInt()
 
 	if !curve.IsOnCurve(x, y) {
-		return nil, errors.New("go-jose/go-jose: invalid EC key, X/Y are not on declared curve")
+		return nil, errors.New("square/go-jose: invalid EC key, X/Y are not on declared curve")
 	}
 
 	return &ecdsa.PrivateKey{
@@ -722,7 +722,7 @@ func fromEcPrivateKey(ec *ecdsa.PrivateK
 	}
 
 	if ec.D == nil {
-		return nil, fmt.Errorf("go-jose/go-jose: invalid EC private key")
+		return nil, fmt.Errorf("square/go-jose: invalid EC private key")
 	}
 
 	raw.D = newFixedSizeBuffer(ec.D.Bytes(), dSize(ec.PublicKey.Curve))
@@ -754,7 +754,7 @@ func fromSymmetricKey(key []byte) (*rawJ
 
 func (key rawJSONWebKey) symmetricKey() ([]byte, error) {
 	if key.K == nil {
-		return nil, fmt.Errorf("go-jose/go-jose: invalid OCT (symmetric) key, missing k value")
+		return nil, fmt.Errorf("square/go-jose: invalid OCT (symmetric) key, missing k value")
 	}
 	return key.K.bytes(), nil
 }
Index: golang-gopkg-square-go-jose.v2/jwk_test.go
===================================================================
--- golang-gopkg-square-go-jose.v2.orig/jwk_test.go
+++ golang-gopkg-square-go-jose.v2/jwk_test.go
@@ -37,7 +37,7 @@ import (
 
 	"golang.org/x/crypto/ed25519"
 
-	"gopkg.in/go-jose/go-jose.v2/json"
+	"gopkg.in/square/go-jose.v2/json"
 )
 
 // Test chain of two X.509 certificates
@@ -991,8 +991,8 @@ func TestJWKBufferSizeCheck(t *testing.T
 	var jwk JSONWebKey
 	jwk.UnmarshalJSON([]byte(key))
 	jwk.Valid() // true
-	// panic: go-jose/go-jose: invalid call to newFixedSizeBuffer (len(data) > length)
-	// github.com/go-jose/go-jose.newFixedSizeBuffer(0xc420014557, 0x41, 0x41, 0x20, 0x0)
+	// panic: square/go-jose: invalid call to newFixedSizeBuffer (len(data) > length)
+	// github.com/square/go-jose.newFixedSizeBuffer(0xc420014557, 0x41, 0x41, 0x20, 0x0)
 	jwk.Thumbprint(crypto.SHA256)
 }
 
Index: golang-gopkg-square-go-jose.v2/jws.go
===================================================================
--- golang-gopkg-square-go-jose.v2.orig/jws.go
+++ golang-gopkg-square-go-jose.v2/jws.go
@@ -23,7 +23,7 @@ import (
 	"fmt"
 	"strings"
 
-	"gopkg.in/go-jose/go-jose.v2/json"
+	"gopkg.in/square/go-jose.v2/json"
 )
 
 // rawJSONWebSignature represents a raw JWS JSON object. Used for parsing/serializing.
@@ -88,7 +88,7 @@ func ParseSigned(signature string) (*JSO
 // ParseDetached parses a signed message in compact serialization format with detached payload.
 func ParseDetached(signature string, payload []byte) (*JSONWebSignature, error) {
 	if payload == nil {
-		return nil, errors.New("go-jose/go-jose: nil payload")
+		return nil, errors.New("square/go-jose: nil payload")
 	}
 	return parseSignedCompact(stripWhitespace(signature), payload)
 }
@@ -151,7 +151,7 @@ func parseSignedFull(input string) (*JSO
 // sanitized produces a cleaned-up JWS object from the raw JSON.
 func (parsed *rawJSONWebSignature) sanitized() (*JSONWebSignature, error) {
 	if parsed.Payload == nil {
-		return nil, fmt.Errorf("go-jose/go-jose: missing payload in JWS message")
+		return nil, fmt.Errorf("square/go-jose: missing payload in JWS message")
 	}
 
 	obj := &JSONWebSignature{
@@ -215,7 +215,7 @@ func (parsed *rawJSONWebSignature) sanit
 		// As per RFC 7515 Section 4.1.3, only public keys are allowed to be embedded.
 		jwk := signature.Header.JSONWebKey
 		if jwk != nil && (!jwk.Valid() || !jwk.IsPublic()) {
-			return nil, errors.New("go-jose/go-jose: invalid embedded jwk, must be public key")
+			return nil, errors.New("square/go-jose: invalid embedded jwk, must be public key")
 		}
 
 		obj.Signatures = append(obj.Signatures, signature)
@@ -260,7 +260,7 @@ func (parsed *rawJSONWebSignature) sanit
 		// As per RFC 7515 Section 4.1.3, only public keys are allowed to be embedded.
 		jwk := obj.Signatures[i].Header.JSONWebKey
 		if jwk != nil && (!jwk.Valid() || !jwk.IsPublic()) {
-			return nil, errors.New("go-jose/go-jose: invalid embedded jwk, must be public key")
+			return nil, errors.New("square/go-jose: invalid embedded jwk, must be public key")
 		}
 
 		// Copy value of sig
@@ -277,11 +277,11 @@ func (parsed *rawJSONWebSignature) sanit
 func parseSignedCompact(input string, payload []byte) (*JSONWebSignature, error) {
 	parts := strings.Split(input, ".")
 	if len(parts) != 3 {
-		return nil, fmt.Errorf("go-jose/go-jose: compact JWS format must have three parts")
+		return nil, fmt.Errorf("square/go-jose: compact JWS format must have three parts")
 	}
 
 	if parts[1] != "" && payload != nil {
-		return nil, fmt.Errorf("go-jose/go-jose: payload is not detached")
+		return nil, fmt.Errorf("square/go-jose: payload is not detached")
 	}
 
 	rawProtected, err := base64.RawURLEncoding.DecodeString(parts[0])
Index: golang-gopkg-square-go-jose.v2/jws_test.go
===================================================================
--- golang-gopkg-square-go-jose.v2.orig/jws_test.go
+++ golang-gopkg-square-go-jose.v2/jws_test.go
@@ -479,7 +479,7 @@ func TestNullHeaderValue(t *testing.T) {
 }
 
 // Test for bug:
-// https://github.com/go-jose/go-jose/issues/157
+// https://github.com/square/go-jose/issues/157
 func TestEmbedJWKBug(t *testing.T) {
 	signerKey := SigningKey{
 		Key: &JSONWebKey{
@@ -510,7 +510,7 @@ func TestEmbedJWKBug(t *testing.T) {
 	}
 
 	// This used to panic with:
-	// json: error calling MarshalJSON for type *jose.JSONWebKey: go-jose/go-jose: unknown key type '%!s(<nil>)'
+	// json: error calling MarshalJSON for type *jose.JSONWebKey: square/go-jose: unknown key type '%!s(<nil>)'
 	output := jws.FullSerialize()
 	outputNoEmbed := jwsNoEmbed.FullSerialize()
 
Index: golang-gopkg-square-go-jose.v2/jwt/builder.go
===================================================================
--- golang-gopkg-square-go-jose.v2.orig/jwt/builder.go
+++ golang-gopkg-square-go-jose.v2/jwt/builder.go
@@ -21,9 +21,9 @@ import (
 	"bytes"
 	"reflect"
 
-	"gopkg.in/go-jose/go-jose.v2/json"
+	"gopkg.in/square/go-jose.v2/json"
 
-	"gopkg.in/go-jose/go-jose.v2"
+	"gopkg.in/square/go-jose.v2"
 )
 
 // Builder is a utility for making JSON Web Tokens. Calls can be chained, and
Index: golang-gopkg-square-go-jose.v2/jwt/builder_test.go
===================================================================
--- golang-gopkg-square-go-jose.v2.orig/jwt/builder_test.go
+++ golang-gopkg-square-go-jose.v2/jwt/builder_test.go
@@ -34,8 +34,8 @@ import (
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 
-	"gopkg.in/go-jose/go-jose.v2"
-	"gopkg.in/go-jose/go-jose.v2/json"
+	"gopkg.in/square/go-jose.v2"
+	"gopkg.in/square/go-jose.v2/json"
 )
 
 type testClaims struct {
@@ -269,7 +269,7 @@ func TestBuilderSignedAndEncrypted(t *te
 	encrypter2, err := jose.NewEncrypter(jose.A128CBC_HS256, recipient, nil)
 	require.NoError(t, err, "Error creating encrypter.")
 	_, err = SignedAndEncrypted(rsaSigner, encrypter2).CompactSerialize()
-	assert.EqualError(t, err, "go-jose/go-jose/jwt: expected content type to be JWT (cty header)")
+	assert.EqualError(t, err, "square/go-jose/jwt: expected content type to be JWT (cty header)")
 }
 
 func TestBuilderHeadersSigner(t *testing.T) {
Index: golang-gopkg-square-go-jose.v2/jwt/claims.go
===================================================================
--- golang-gopkg-square-go-jose.v2.orig/jwt/claims.go
+++ golang-gopkg-square-go-jose.v2/jwt/claims.go
@@ -21,7 +21,7 @@ import (
 	"strconv"
 	"time"
 
-	"gopkg.in/go-jose/go-jose.v2/json"
+	"gopkg.in/square/go-jose.v2/json"
 )
 
 // Claims represents public claim values (as specified in RFC 7519).
Index: golang-gopkg-square-go-jose.v2/jwt/claims_test.go
===================================================================
--- golang-gopkg-square-go-jose.v2.orig/jwt/claims_test.go
+++ golang-gopkg-square-go-jose.v2/jwt/claims_test.go
@@ -21,7 +21,7 @@ import (
 	"testing"
 	"time"
 
-	"gopkg.in/go-jose/go-jose.v2/json"
+	"gopkg.in/square/go-jose.v2/json"
 
 	"github.com/stretchr/testify/assert"
 )
Index: golang-gopkg-square-go-jose.v2/jwt/errors.go
===================================================================
--- golang-gopkg-square-go-jose.v2.orig/jwt/errors.go
+++ golang-gopkg-square-go-jose.v2/jwt/errors.go
@@ -20,34 +20,34 @@ package jwt
 import "errors"
 
 // ErrUnmarshalAudience indicates that aud claim could not be unmarshalled.
-var ErrUnmarshalAudience = errors.New("go-jose/go-jose/jwt: expected string or array value to unmarshal to Audience")
+var ErrUnmarshalAudience = errors.New("square/go-jose/jwt: expected string or array value to unmarshal to Audience")
 
 // ErrUnmarshalNumericDate indicates that JWT NumericDate could not be unmarshalled.
-var ErrUnmarshalNumericDate = errors.New("go-jose/go-jose/jwt: expected number value to unmarshal NumericDate")
+var ErrUnmarshalNumericDate = errors.New("square/go-jose/jwt: expected number value to unmarshal NumericDate")
 
 // ErrInvalidClaims indicates that given claims have invalid type.
-var ErrInvalidClaims = errors.New("go-jose/go-jose/jwt: expected claims to be value convertible into JSON object")
+var ErrInvalidClaims = errors.New("square/go-jose/jwt: expected claims to be value convertible into JSON object")
 
 // ErrInvalidIssuer indicates invalid iss claim.
-var ErrInvalidIssuer = errors.New("go-jose/go-jose/jwt: validation failed, invalid issuer claim (iss)")
+var ErrInvalidIssuer = errors.New("square/go-jose/jwt: validation failed, invalid issuer claim (iss)")
 
 // ErrInvalidSubject indicates invalid sub claim.
-var ErrInvalidSubject = errors.New("go-jose/go-jose/jwt: validation failed, invalid subject claim (sub)")
+var ErrInvalidSubject = errors.New("square/go-jose/jwt: validation failed, invalid subject claim (sub)")
 
 // ErrInvalidAudience indicated invalid aud claim.
-var ErrInvalidAudience = errors.New("go-jose/go-jose/jwt: validation failed, invalid audience claim (aud)")
+var ErrInvalidAudience = errors.New("square/go-jose/jwt: validation failed, invalid audience claim (aud)")
 
 // ErrInvalidID indicates invalid jti claim.
-var ErrInvalidID = errors.New("go-jose/go-jose/jwt: validation failed, invalid ID claim (jti)")
+var ErrInvalidID = errors.New("square/go-jose/jwt: validation failed, invalid ID claim (jti)")
 
 // ErrNotValidYet indicates that token is used before time indicated in nbf claim.
-var ErrNotValidYet = errors.New("go-jose/go-jose/jwt: validation failed, token not valid yet (nbf)")
+var ErrNotValidYet = errors.New("square/go-jose/jwt: validation failed, token not valid yet (nbf)")
 
 // ErrExpired indicates that token is used after expiry time indicated in exp claim.
-var ErrExpired = errors.New("go-jose/go-jose/jwt: validation failed, token is expired (exp)")
+var ErrExpired = errors.New("square/go-jose/jwt: validation failed, token is expired (exp)")
 
 // ErrIssuedInTheFuture indicates that the iat field is in the future.
-var ErrIssuedInTheFuture = errors.New("go-jose/go-jose/jwt: validation field, token issued in the future (iat)")
+var ErrIssuedInTheFuture = errors.New("square/go-jose/jwt: validation field, token issued in the future (iat)")
 
 // ErrInvalidContentType indicates that token requires JWT cty header.
-var ErrInvalidContentType = errors.New("go-jose/go-jose/jwt: expected content type to be JWT (cty header)")
+var ErrInvalidContentType = errors.New("square/go-jose/jwt: expected content type to be JWT (cty header)")
Index: golang-gopkg-square-go-jose.v2/jwt/example_test.go
===================================================================
--- golang-gopkg-square-go-jose.v2.orig/jwt/example_test.go
+++ golang-gopkg-square-go-jose.v2/jwt/example_test.go
@@ -26,8 +26,8 @@ import (
 	"crypto/x509"
 	"encoding/pem"
 
-	"gopkg.in/go-jose/go-jose.v2"
-	"gopkg.in/go-jose/go-jose.v2/jwt"
+	"gopkg.in/square/go-jose.v2"
+	"gopkg.in/square/go-jose.v2/jwt"
 )
 
 var sharedKey = []byte("secret")
Index: golang-gopkg-square-go-jose.v2/jwt/jwt.go
===================================================================
--- golang-gopkg-square-go-jose.v2.orig/jwt/jwt.go
+++ golang-gopkg-square-go-jose.v2/jwt/jwt.go
@@ -21,8 +21,8 @@ import (
 	"fmt"
 	"strings"
 
-	jose "gopkg.in/go-jose/go-jose.v2"
-	"gopkg.in/go-jose/go-jose.v2/json"
+	jose "gopkg.in/square/go-jose.v2"
+	"gopkg.in/square/go-jose.v2/json"
 )
 
 // JSONWebToken represents a JSON Web Token (as specified in RFC7519).
@@ -60,7 +60,7 @@ func (t *JSONWebToken) Claims(key interf
 // verified. This function won't work for encrypted JWTs.
 func (t *JSONWebToken) UnsafeClaimsWithoutVerification(dest ...interface{}) error {
 	if t.unverifiedPayload == nil {
-		return fmt.Errorf("go-jose/go-jose: Cannot get unverified claims")
+		return fmt.Errorf("square/go-jose: Cannot get unverified claims")
 	}
 	claims := t.unverifiedPayload()
 	for _, d := range dest {
Index: golang-gopkg-square-go-jose.v2/jwt/jwt_test.go
===================================================================
--- golang-gopkg-square-go-jose.v2.orig/jwt/jwt_test.go
+++ golang-gopkg-square-go-jose.v2/jwt/jwt_test.go
@@ -22,7 +22,7 @@ import (
 	"testing"
 
 	"github.com/stretchr/testify/assert"
-	jose "gopkg.in/go-jose/go-jose.v2"
+	jose "gopkg.in/square/go-jose.v2"
 )
 
 var (
@@ -109,7 +109,7 @@ func TestDecodeToken(t *testing.T) {
 			assert.Equal(t, []string{"s1", "s2"}, c2.Scopes)
 		}
 	}
-	assert.EqualError(t, tok.Claims([]byte("invalid-secret")), "go-jose/go-jose: error in cryptographic primitive")
+	assert.EqualError(t, tok.Claims([]byte("invalid-secret")), "square/go-jose: error in cryptographic primitive")
 
 	tok2, err := ParseSigned(rsaSignedToken)
 	if assert.NoError(t, err, "Error parsing encrypted token.") {
@@ -122,7 +122,7 @@ func TestDecodeToken(t *testing.T) {
 			}, c)
 		}
 	}
-	assert.EqualError(t, tok.Claims(&testPrivRSAKey2.PublicKey), "go-jose/go-jose: error in cryptographic primitive")
+	assert.EqualError(t, tok.Claims(&testPrivRSAKey2.PublicKey), "square/go-jose: error in cryptographic primitive")
 
 	tok3, err := ParseSigned(invalidPayloadSignedToken)
 	if assert.NoError(t, err, "Error parsing signed token.") {
@@ -130,7 +130,7 @@ func TestDecodeToken(t *testing.T) {
 	}
 
 	_, err = ParseSigned(invalidPartsSignedToken)
-	assert.EqualError(t, err, "go-jose/go-jose: compact JWS format must have three parts")
+	assert.EqualError(t, err, "square/go-jose: compact JWS format must have three parts")
 
 	tok4, err := ParseEncrypted(hmacEncryptedToken)
 	if assert.NoError(t, err, "Error parsing encrypted token.") {
@@ -139,7 +139,7 @@ func TestDecodeToken(t *testing.T) {
 			assert.Equal(t, "foo", c.Subject)
 		}
 	}
-	assert.EqualError(t, tok4.Claims([]byte("invalid-secret-key")), "go-jose/go-jose: error in cryptographic primitive")
+	assert.EqualError(t, tok4.Claims([]byte("invalid-secret-key")), "square/go-jose: error in cryptographic primitive")
 
 	tok5, err := ParseEncrypted(rsaEncryptedToken)
 	if assert.NoError(t, err, "Error parsing encrypted token.") {
@@ -152,7 +152,7 @@ func TestDecodeToken(t *testing.T) {
 			}, c)
 		}
 	}
-	assert.EqualError(t, tok5.Claims(testPrivRSAKey2), "go-jose/go-jose: error in cryptographic primitive")
+	assert.EqualError(t, tok5.Claims(testPrivRSAKey2), "square/go-jose: error in cryptographic primitive")
 
 	tok6, err := ParseEncrypted(invalidPayloadEncryptedToken)
 	if assert.NoError(t, err, "Error parsing encrypted token.") {
@@ -160,7 +160,7 @@ func TestDecodeToken(t *testing.T) {
 	}
 
 	_, err = ParseEncrypted(invalidPartsEncryptedToken)
-	assert.EqualError(t, err, "go-jose/go-jose: compact JWE format must have five parts")
+	assert.EqualError(t, err, "square/go-jose: compact JWE format must have five parts")
 
 	tok7, err := ParseSignedAndEncrypted(signedAndEncryptedToken)
 	if assert.NoError(t, err, "Error parsing signed-then-encrypted token.") {
@@ -172,14 +172,14 @@ func TestDecodeToken(t *testing.T) {
 				"iss":    "issuer",
 				"scopes": []interface{}{"s1", "s2"},
 			}, c)
-			assert.EqualError(t, nested.Claims(testPrivRSAKey2.Public()), "go-jose/go-jose: error in cryptographic primitive")
+			assert.EqualError(t, nested.Claims(testPrivRSAKey2.Public()), "square/go-jose: error in cryptographic primitive")
 		}
 	}
 	_, err = tok7.Decrypt(testPrivRSAKey2)
-	assert.EqualError(t, err, "go-jose/go-jose: error in cryptographic primitive")
+	assert.EqualError(t, err, "square/go-jose: error in cryptographic primitive")
 
 	_, err = ParseSignedAndEncrypted(invalidSignedAndEncryptedToken)
-	assert.EqualError(t, err, "go-jose/go-jose/jwt: expected content type to be JWT (cty header)")
+	assert.EqualError(t, err, "square/go-jose/jwt: expected content type to be JWT (cty header)")
 }
 
 func TestTamperedJWT(t *testing.T) {
Index: golang-gopkg-square-go-jose.v2/shared.go
===================================================================
--- golang-gopkg-square-go-jose.v2.orig/shared.go
+++ golang-gopkg-square-go-jose.v2/shared.go
@@ -23,7 +23,7 @@ import (
 	"errors"
 	"fmt"
 
-	"gopkg.in/go-jose/go-jose.v2/json"
+	"gopkg.in/square/go-jose.v2/json"
 )
 
 // KeyAlgorithm represents a key management algorithm.
@@ -45,32 +45,32 @@ var (
 	// ErrCryptoFailure represents an error in cryptographic primitive. This
 	// occurs when, for example, a message had an invalid authentication tag or
 	// could not be decrypted.
-	ErrCryptoFailure = errors.New("go-jose/go-jose: error in cryptographic primitive")
+	ErrCryptoFailure = errors.New("square/go-jose: error in cryptographic primitive")
 
 	// ErrUnsupportedAlgorithm indicates that a selected algorithm is not
 	// supported. This occurs when trying to instantiate an encrypter for an
 	// algorithm that is not yet implemented.
-	ErrUnsupportedAlgorithm = errors.New("go-jose/go-jose: unknown/unsupported algorithm")
+	ErrUnsupportedAlgorithm = errors.New("square/go-jose: unknown/unsupported algorithm")
 
 	// ErrUnsupportedKeyType indicates that the given key type/format is not
 	// supported. This occurs when trying to instantiate an encrypter and passing
 	// it a key of an unrecognized type or with unsupported parameters, such as
 	// an RSA private key with more than two primes.
-	ErrUnsupportedKeyType = errors.New("go-jose/go-jose: unsupported key type/format")
+	ErrUnsupportedKeyType = errors.New("square/go-jose: unsupported key type/format")
 
 	// ErrInvalidKeySize indicates that the given key is not the correct size
 	// for the selected algorithm. This can occur, for example, when trying to
 	// encrypt with AES-256 but passing only a 128-bit key as input.
-	ErrInvalidKeySize = errors.New("go-jose/go-jose: invalid key size for algorithm")
+	ErrInvalidKeySize = errors.New("square/go-jose: invalid key size for algorithm")
 
 	// ErrNotSupported serialization of object is not supported. This occurs when
 	// trying to compact-serialize an object which can't be represented in
 	// compact form.
-	ErrNotSupported = errors.New("go-jose/go-jose: compact serialization not supported for object")
+	ErrNotSupported = errors.New("square/go-jose: compact serialization not supported for object")
 
 	// ErrUnprotectedNonce indicates that while parsing a JWS or JWE object, a
 	// nonce header parameter was included in an unprotected header object.
-	ErrUnprotectedNonce = errors.New("go-jose/go-jose: Nonce parameter included in unprotected header")
+	ErrUnprotectedNonce = errors.New("square/go-jose: Nonce parameter included in unprotected header")
 )
 
 // Key management algorithms
@@ -194,7 +194,7 @@ type Header struct {
 // not be validated with the given verify options.
 func (h Header) Certificates(opts x509.VerifyOptions) ([][]*x509.Certificate, error) {
 	if len(h.certificates) == 0 {
-		return nil, errors.New("go-jose/go-jose: no x5c header present in message")
+		return nil, errors.New("square/go-jose: no x5c header present in message")
 	}
 
 	leaf := h.certificates[0]
@@ -496,7 +496,7 @@ func curveName(crv elliptic.Curve) (stri
 	case elliptic.P521():
 		return "P-521", nil
 	default:
-		return "", fmt.Errorf("go-jose/go-jose: unsupported/unknown elliptic curve")
+		return "", fmt.Errorf("square/go-jose: unsupported/unknown elliptic curve")
 	}
 }
 
Index: golang-gopkg-square-go-jose.v2/signing.go
===================================================================
--- golang-gopkg-square-go-jose.v2.orig/signing.go
+++ golang-gopkg-square-go-jose.v2/signing.go
@@ -26,7 +26,7 @@ import (
 
 	"golang.org/x/crypto/ed25519"
 
-	"gopkg.in/go-jose/go-jose.v2/json"
+	"gopkg.in/square/go-jose.v2/json"
 )
 
 // NonceSource represents a source of random nonces to go into JWS objects
@@ -227,7 +227,7 @@ func newJWKSigner(alg SignatureAlgorithm
 
 		// This should be impossible, but let's check anyway.
 		if !recipient.publicKey().IsPublic() {
-			return recipientSigInfo{}, errors.New("go-jose/go-jose: public key was unexpectedly not public")
+			return recipientSigInfo{}, errors.New("square/go-jose: public key was unexpectedly not public")
 		}
 	}
 	return recipient, nil
@@ -251,7 +251,7 @@ func (ctx *genericSigner) Sign(payload [
 			// result of the JOSE spec. We've decided that this library will only include one or
 			// the other to avoid this confusion.
 			//
-			// See https://github.com/go-jose/go-jose/issues/157 for more context.
+			// See https://github.com/square/go-jose/issues/157 for more context.
 			if ctx.embedJWK {
 				protected[headerJWK] = recipient.publicKey()
 			} else {
@@ -265,7 +265,7 @@ func (ctx *genericSigner) Sign(payload [
 		if ctx.nonceSource != nil {
 			nonce, err := ctx.nonceSource.Nonce()
 			if err != nil {
-				return nil, fmt.Errorf("go-jose/go-jose: Error generating nonce: %v", err)
+				return nil, fmt.Errorf("square/go-jose: Error generating nonce: %v", err)
 			}
 			protected[headerNonce] = nonce
 		}
@@ -279,7 +279,7 @@ func (ctx *genericSigner) Sign(payload [
 
 		if b64, ok := protected[headerB64]; ok {
 			if needsBase64, ok = b64.(bool); !ok {
-				return nil, errors.New("go-jose/go-jose: Invalid b64 header parameter")
+				return nil, errors.New("square/go-jose: Invalid b64 header parameter")
 			}
 		}
 
@@ -303,7 +303,7 @@ func (ctx *genericSigner) Sign(payload [
 		for k, v := range protected {
 			b, err := json.Marshal(v)
 			if err != nil {
-				return nil, fmt.Errorf("go-jose/go-jose: Error marshalling item %#v: %v", k, err)
+				return nil, fmt.Errorf("square/go-jose: Error marshalling item %#v: %v", k, err)
 			}
 			(*signatureInfo.protected)[k] = makeRawMessage(b)
 		}
@@ -354,7 +354,7 @@ func (obj JSONWebSignature) DetachedVeri
 	}
 
 	if len(obj.Signatures) > 1 {
-		return errors.New("go-jose/go-jose: too many signatures in payload; expecting only one")
+		return errors.New("square/go-jose: too many signatures in payload; expecting only one")
 	}
 
 	signature := obj.Signatures[0]
Index: golang-gopkg-square-go-jose.v2/signing_test.go
===================================================================
--- golang-gopkg-square-go-jose.v2.orig/signing_test.go
+++ golang-gopkg-square-go-jose.v2/signing_test.go
@@ -28,7 +28,7 @@ import (
 	"strings"
 	"testing"
 
-	"gopkg.in/go-jose/go-jose.v2/json"
+	"gopkg.in/square/go-jose.v2/json"
 )
 
 type staticNonceSource string
Index: golang-gopkg-square-go-jose.v2/symmetric.go
===================================================================
--- golang-gopkg-square-go-jose.v2.orig/symmetric.go
+++ golang-gopkg-square-go-jose.v2/symmetric.go
@@ -31,7 +31,7 @@ import (
 	"io"
 
 	"golang.org/x/crypto/pbkdf2"
-	"gopkg.in/go-jose/go-jose.v2/cipher"
+	"gopkg.in/square/go-jose.v2/cipher"
 )
 
 // Random reader (stubbed out in tests)
@@ -356,11 +356,11 @@ func (ctx *symmetricKeyCipher) decryptKe
 
 		iv, err := headers.getIV()
 		if err != nil {
-			return nil, fmt.Errorf("go-jose/go-jose: invalid IV: %v", err)
+			return nil, fmt.Errorf("square/go-jose: invalid IV: %v", err)
 		}
 		tag, err := headers.getTag()
 		if err != nil {
-			return nil, fmt.Errorf("go-jose/go-jose: invalid tag: %v", err)
+			return nil, fmt.Errorf("square/go-jose: invalid tag: %v", err)
 		}
 
 		parts := &aeadParts{
@@ -389,18 +389,18 @@ func (ctx *symmetricKeyCipher) decryptKe
 	case PBES2_HS256_A128KW, PBES2_HS384_A192KW, PBES2_HS512_A256KW:
 		p2s, err := headers.getP2S()
 		if err != nil {
-			return nil, fmt.Errorf("go-jose/go-jose: invalid P2S: %v", err)
+			return nil, fmt.Errorf("square/go-jose: invalid P2S: %v", err)
 		}
 		if p2s == nil || len(p2s.data) == 0 {
-			return nil, fmt.Errorf("go-jose/go-jose: invalid P2S: must be present")
+			return nil, fmt.Errorf("square/go-jose: invalid P2S: must be present")
 		}
 
 		p2c, err := headers.getP2C()
 		if err != nil {
-			return nil, fmt.Errorf("go-jose/go-jose: invalid P2C: %v", err)
+			return nil, fmt.Errorf("square/go-jose: invalid P2C: %v", err)
 		}
 		if p2c <= 0 {
-			return nil, fmt.Errorf("go-jose/go-jose: invalid P2C: must be a positive integer")
+			return nil, fmt.Errorf("square/go-jose: invalid P2C: must be a positive integer")
 		}
 		if p2c > 1000000 {
 			// An unauthenticated attacker can set a high P2C value. Set an upper limit to avoid
@@ -436,7 +436,7 @@ func (ctx *symmetricKeyCipher) decryptKe
 func (ctx symmetricMac) signPayload(payload []byte, alg SignatureAlgorithm) (Signature, error) {
 	mac, err := ctx.hmac(payload, alg)
 	if err != nil {
-		return Signature{}, errors.New("go-jose/go-jose: failed to compute hmac")
+		return Signature{}, errors.New("square/go-jose: failed to compute hmac")
 	}
 
 	return Signature{
@@ -449,16 +449,16 @@ func (ctx symmetricMac) signPayload(payl
 func (ctx symmetricMac) verifyPayload(payload []byte, mac []byte, alg SignatureAlgorithm) error {
 	expected, err := ctx.hmac(payload, alg)
 	if err != nil {
-		return errors.New("go-jose/go-jose: failed to compute hmac")
+		return errors.New("square/go-jose: failed to compute hmac")
 	}
 
 	if len(mac) != len(expected) {
-		return errors.New("go-jose/go-jose: invalid hmac")
+		return errors.New("square/go-jose: invalid hmac")
 	}
 
 	match := subtle.ConstantTimeCompare(mac, expected)
 	if match != 1 {
-		return errors.New("go-jose/go-jose: invalid hmac")
+		return errors.New("square/go-jose: invalid hmac")
 	}
 
 	return nil