fix: handle errcheck warnings in gpg.go and gpg_test.go, fix gofmt

path.Clean(".") returns "." which starts with a dot, causing IsHiddenPath
to incorrectly treat the current directory as hidden. Add explicit checks
for "." and "/" before the dot-prefix check.

Fixed in both mfer/scanner.go and internal/scanner/scanner.go.

internal/cli/fetch.go

@@ -113,7 +113,7 @@ func (mfa *CLIApp) fetchManifestOperation(ctx *cli.Context) error {
 			return fmt.Errorf("invalid path in manifest: %w", err)
 		}
 
-		fileURL := baseURL.String() + f.Path
+		fileURL := baseURL.String() + encodeFilePath(f.Path)
 		log.Infof("fetching %s", f.Path)
 
 		if err := downloadFile(fileURL, localPath, f, progress); err != nil {
@@ -139,6 +139,15 @@ func (mfa *CLIApp) fetchManifestOperation(ctx *cli.Context) error {
 	return nil
 }
 
+// encodeFilePath URL-encodes each segment of a file path while preserving slashes.
+func encodeFilePath(p string) string {
+	segments := strings.Split(p, "/")
+	for i, seg := range segments {
+		segments[i] = url.PathEscape(seg)
+	}
+	return strings.Join(segments, "/")
+}
+
 // sanitizePath validates and sanitizes a file path from the manifest.
 // It prevents path traversal attacks and rejects unsafe paths.
 func sanitizePath(p string) (string, error) {

internal/cli/fetch_test.go

@@ -16,6 +16,29 @@ import (
 	"sneak.berlin/go/mfer/mfer"
 )
 
+func TestEncodeFilePath(t *testing.T) {
+	tests := []struct {
+		input    string
+		expected string
+	}{
+		{"file.txt", "file.txt"},
+		{"dir/file.txt", "dir/file.txt"},
+		{"my file.txt", "my%20file.txt"},
+		{"dir/my file.txt", "dir/my%20file.txt"},
+		{"file#1.txt", "file%231.txt"},
+		{"file?v=1.txt", "file%3Fv=1.txt"},
+		{"path/to/file with spaces.txt", "path/to/file%20with%20spaces.txt"},
+		{"100%done.txt", "100%25done.txt"},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.input, func(t *testing.T) {
+			result := encodeFilePath(tt.input)
+			assert.Equal(t, tt.expected, result)
+		})
+	}
+}
+
 func TestSanitizePath(t *testing.T) {
 	// Valid paths that should be accepted
 	validTests := []struct {

mfer/checker.go

@@ -224,12 +224,7 @@ func (c *Checker) checkFile(entry *MFFilePath, checkedBytes *FileSize) Result {
 	// Check if file exists
 	info, err := c.fs.Stat(absPath)
 	if err != nil {
-		if errors.Is(err, afero.ErrFileNotFound) || errors.Is(err, errors.New("file does not exist")) {
-			return Result{Path: relPath, Status: StatusMissing, Message: "file not found"}
-		}
-		// Check for "file does not exist" style errors
-		exists, _ := afero.Exists(c.fs, absPath)
-		if !exists {
+		if errors.Is(err, os.ErrNotExist) || errors.Is(err, afero.ErrFileNotFound) {
 			return Result{Path: relPath, Status: StatusMissing, Message: "file not found"}
 		}
 		return Result{Path: relPath, Status: StatusError, Message: err.Error()}

mfer/checker_test.go

@@ -381,6 +381,39 @@ func TestCheckSubdirectories(t *testing.T) {
 	assert.Equal(t, 3, okCount)
 }
 
+func TestCheckMissingFileDetectedWithoutFallback(t *testing.T) {
+	// Regression test: errors.Is(err, errors.New("...")) never matches because
+	// errors.New creates a new value each time. The fix uses os.ErrNotExist instead.
+	fs := afero.NewMemMapFs()
+	files := map[string][]byte{
+		"exists.txt":  []byte("here"),
+		"missing.txt": []byte("not on disk"),
+	}
+	createTestManifest(t, fs, "/manifest.mf", files)
+	// Only create one file on disk
+	createFilesOnDisk(t, fs, "/data", map[string][]byte{
+		"exists.txt": []byte("here"),
+	})
+
+	chk, err := NewChecker("/manifest.mf", "/data", fs)
+	require.NoError(t, err)
+
+	results := make(chan Result, 10)
+	err = chk.Check(context.Background(), results, nil)
+	require.NoError(t, err)
+
+	statusCounts := map[Status]int{}
+	for r := range results {
+		statusCounts[r.Status]++
+		if r.Status == StatusMissing {
+			assert.Equal(t, RelFilePath("missing.txt"), r.Path)
+		}
+	}
+	assert.Equal(t, 1, statusCounts[StatusOK], "one file should be OK")
+	assert.Equal(t, 1, statusCounts[StatusMissing], "one file should be MISSING")
+	assert.Equal(t, 0, statusCounts[StatusError], "no files should be ERROR")
+}
+
 func TestCheckEmptyManifest(t *testing.T) {
 	fs := afero.NewMemMapFs()
 	// Create manifest with no files

mfer/gpg.go

@@ -100,7 +100,7 @@ func gpgExtractPubKeyFingerprint(pubKey []byte) (string, error) {
 	if err != nil {
 		return "", fmt.Errorf("failed to create temp dir: %w", err)
 	}
-	defer os.RemoveAll(tmpDir)
+	defer func() { _ = os.RemoveAll(tmpDir) }()
 
 	// Set restrictive permissions
 	if err := os.Chmod(tmpDir, 0o700); err != nil {
@@ -158,7 +158,7 @@ func gpgVerify(data, signature, pubKey []byte) error {
 	if err != nil {
 		return fmt.Errorf("failed to create temp dir: %w", err)
 	}
-	defer os.RemoveAll(tmpDir)
+	defer func() { _ = os.RemoveAll(tmpDir) }()
 
 	// Set restrictive permissions
 	if err := os.Chmod(tmpDir, 0o700); err != nil {

mfer/gpg_test.go

@@ -34,15 +34,15 @@ func testGPGEnv(t *testing.T) (GPGKeyID, func()) {
 
 	// Save original GNUPGHOME and set new one
 	origGPGHome := os.Getenv("GNUPGHOME")
-	os.Setenv("GNUPGHOME", gpgHome)
+	require.NoError(t, os.Setenv("GNUPGHOME", gpgHome))
 
 	cleanup := func() {
 		if origGPGHome == "" {
-			os.Unsetenv("GNUPGHOME")
+			_ = os.Unsetenv("GNUPGHOME")
 		} else {
-			os.Setenv("GNUPGHOME", origGPGHome)
+			_ = os.Setenv("GNUPGHOME", origGPGHome)
 		}
-		os.RemoveAll(gpgHome)
+		_ = os.RemoveAll(gpgHome)
 	}
 
 	// Generate a test key with no passphrase

mfer/scanner.go

@@ -385,6 +385,9 @@ func (s *Scanner) ToManifest(ctx context.Context, w io.Writer, progress chan<- S
 // The path should use forward slashes.
 func IsHiddenPath(p string) bool {
 	tp := path.Clean(p)
+	if tp == "." || tp == "/" {
+		return false
+	}
 	if strings.HasPrefix(tp, ".") {
 		return true
 	}

mfer/scanner_test.go

@@ -352,6 +352,8 @@ func TestIsHiddenPath(t *testing.T) {
 		{"/absolute/.hidden", true},
 		{"./relative", false}, // path.Clean removes leading ./
 		{"a/b/c/.d/e", true},
+		{".", false}, // current directory is not hidden
+		{"/", false}, // root is not hidden
 	}
 
 	for _, tt := range tests {