diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 34bad5d..39db0f7 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -23,7 +23,7 @@ jobs:
       uses: actions/checkout@v2
       with:
         fetch-depth: 2
-    
+
     - run: git checkout HEAD^2
       if: ${{ github.event_name == 'pull_request' }}
 
diff --git a/attest/application_key_test.go b/attest/application_key_test.go
index 69c10c7..03acd83 100644
--- a/attest/application_key_test.go
+++ b/attest/application_key_test.go
@@ -26,10 +26,11 @@ import (
 	"crypto/elliptic"
 	"crypto/rand"
 	"crypto/rsa"
-	"crypto/x509"
 	"encoding/asn1"
 	"math/big"
 	"testing"
+
+	"github.com/google/certificate-transparency-go/x509"
 )
 
 func TestSimTPM20KeyCreateAndLoad(t *testing.T) {
diff --git a/attest/attest-tool/attest-tool.go b/attest/attest-tool/attest-tool.go
index bfc9017..f565b62 100644
--- a/attest/attest-tool/attest-tool.go
+++ b/attest/attest-tool/attest-tool.go
@@ -15,9 +15,9 @@ import (
 	"io/ioutil"
 	"os"
 
-	"github.com/google/certificate-transparency-go/x509"
 	"github.com/google/go-attestation/attest"
 	"github.com/google/go-attestation/attest/attest-tool/internal"
+	"github.com/google/certificate-transparency-go/x509"
 )
 
 var (
diff --git a/attest/challenge_test.go b/attest/challenge_test.go
index 2b1a020..8ae7b53 100644
--- a/attest/challenge_test.go
+++ b/attest/challenge_test.go
@@ -4,8 +4,9 @@ import (
 	"bytes"
 	"crypto/rand"
 	"crypto/rsa"
-	"crypto/x509"
 	"testing"
+
+	"github.com/google/certificate-transparency-go/x509"
 )
 
 func TestMakeActivationBlob(t *testing.T) {
diff --git a/attest/eventlog.go b/attest/eventlog.go
index a14b61a..40949d2 100644
--- a/attest/eventlog.go
+++ b/attest/eventlog.go
@@ -348,7 +348,7 @@ func (a *AKPublic) validate20Quote(quote Quote, pcrs []PCR, nonce []byte) error
 		return fmt.Errorf("attestation isn't a quote, tag of type 0x%x", att.Type)
 	}
 	if !bytes.Equal([]byte(att.ExtraData), nonce) {
-		return fmt.Errorf("nonce didn't match: %v", err)
+		return fmt.Errorf("nonce = %#v, want %#v", []byte(att.ExtraData), nonce)
 	}
 
 	pcrByIndex := map[int][]byte{}
diff --git a/attest/pcp_windows.go b/attest/pcp_windows.go
index bb85ab1..bc8725e 100644
--- a/attest/pcp_windows.go
+++ b/attest/pcp_windows.go
@@ -26,9 +26,9 @@ import (
 
 	"github.com/google/certificate-transparency-go/x509"
 
-	"github.com/google/go-tpm/tpmutil"
-	tpmtbs "github.com/google/go-tpm/tpmutil/tbs"
 	"golang.org/x/sys/windows"
+	tpmtbs "github.com/google/go-tpm/tpmutil/tbs"
+	"github.com/google/go-tpm/tpmutil"
 )
 
 const (
diff --git a/attest/secureboot.go b/attest/secureboot.go
index 363f584..6ec6279 100644
--- a/attest/secureboot.go
+++ b/attest/secureboot.go
@@ -19,8 +19,8 @@ import (
 	"errors"
 	"fmt"
 
-	"github.com/google/certificate-transparency-go/x509"
 	"github.com/google/go-attestation/attest/internal"
+	"github.com/google/certificate-transparency-go/x509"
 )
 
 // SecurebootState describes the secure boot status of a machine, as determined
diff --git a/attest/tpm12_linux.go b/attest/tpm12_linux.go
index ef4e2da..11f0eb9 100644
--- a/attest/tpm12_linux.go
+++ b/attest/tpm12_linux.go
@@ -24,8 +24,8 @@ import (
 
 	"github.com/google/certificate-transparency-go/x509"
 	"github.com/google/go-tspi/attestation"
-	"github.com/google/go-tspi/tspi"
-	"github.com/google/go-tspi/tspiconst"
+	"github.com/Comcast/gotspi/tspi"
+	"github.com/Comcast/gotspi/tspiconst"
 )
 
 func init() {
diff --git a/attest/tpm_test.go b/attest/tpm_test.go
index a350a03..5edcf44 100644
--- a/attest/tpm_test.go
+++ b/attest/tpm_test.go
@@ -2,10 +2,11 @@ package attest
 
 import (
 	"crypto/rsa"
-	"crypto/x509"
 	"encoding/pem"
 	"fmt"
 	"testing"
+
+	"github.com/google/certificate-transparency-go/x509"
 )
 
 // Generated using the following command:
diff --git a/attest/tpm_windows.go b/attest/tpm_windows.go
index 9304cbb..5544a1d 100644
--- a/attest/tpm_windows.go
+++ b/attest/tpm_windows.go
@@ -28,9 +28,9 @@ import (
 	"io"
 	"math/big"
 
+	"golang.org/x/sys/windows"
 	tpm1 "github.com/google/go-tpm/tpm"
 	tpmtbs "github.com/google/go-tpm/tpmutil/tbs"
-	"golang.org/x/sys/windows"
 )
 
 var wellKnownAuth [20]byte
diff --git a/attributecert/attributecert.go b/attributecert/attributecert.go
index 49e04d5..c6a74ad 100644
--- a/attributecert/attributecert.go
+++ b/attributecert/attributecert.go
@@ -9,15 +9,15 @@ package attributecert
 import (
 	"bytes"
 	"crypto"
-	"crypto/x509"
-	"crypto/x509/pkix"
-	"encoding/asn1"
 	"errors"
 	"fmt"
 	"math/big"
 	"time"
 
 	"github.com/google/go-attestation/oid"
+	"github.com/google/certificate-transparency-go/asn1"
+	"github.com/google/certificate-transparency-go/x509/pkix"
+	"github.com/google/certificate-transparency-go/x509"
 )
 
 var (
diff --git a/attributecert/attributecert_test.go b/attributecert/attributecert_test.go
index ae06de9..a8fae7f 100644
--- a/attributecert/attributecert_test.go
+++ b/attributecert/attributecert_test.go
@@ -15,12 +15,13 @@
 package attributecert
 
 import (
-	"crypto/x509"
 	"encoding/json"
 	"io/ioutil"
 	"reflect"
 	"strings"
 	"testing"
+
+	"github.com/google/certificate-transparency-go/x509"
 )
 
 func TestVerifyAttributeCert(t *testing.T) {
@@ -38,7 +39,7 @@ func TestVerifyAttributeCert(t *testing.T) {
 		t.Fatalf("failed to parse Intel intermediate certificate: %v", err)
 	}
 
-	for _, filename := range(testfiles) {
+	for _, filename := range testfiles {
 		data, err = ioutil.ReadFile(filename)
 		if err != nil {
 			t.Fatalf("failed to read %s: %v", filename, err)
diff --git a/attributecert/testdata/Intel_pc2.cer b/attributecert/testdata/Intel_pc2.cer
old mode 100755
new mode 100644
diff --git a/attributecert/testdata/Intel_pc3.cer b/attributecert/testdata/Intel_pc3.cer
old mode 100755
new mode 100644
diff --git a/ci/gen_ekcert.go b/ci/gen_ekcert.go
index 0676a0f..af32cb3 100644
--- a/ci/gen_ekcert.go
+++ b/ci/gen_ekcert.go
@@ -3,8 +3,6 @@ package main
 import (
 	"crypto/rand"
 	"crypto/rsa"
-	"crypto/x509"
-	"crypto/x509/pkix"
 	"encoding/binary"
 	"encoding/hex"
 	"flag"
@@ -14,6 +12,9 @@ import (
 	"os/exec"
 	"strings"
 	"time"
+
+	"github.com/google/certificate-transparency-go/x509/pkix"
+	"github.com/google/certificate-transparency-go/x509"
 )
 
 var simulatorStatePath = flag.String("state_path", "/tmp/sim/NVRAM/00.permall", "Path to ibmswtpm state file")
diff --git a/ci/setup_tests_fs.sh b/ci/setup_tests_fs.sh
old mode 100755
new mode 100644
diff --git a/ci/setup_tpm12_simulator.sh b/ci/setup_tpm12_simulator.sh
old mode 100755
new mode 100644
diff --git a/ci/shutdown_tpm12_simulator.sh b/ci/shutdown_tpm12_simulator.sh
old mode 100755
new mode 100644
diff --git a/oid/oid.go b/oid/oid.go
index 92ad886..d971050 100644
--- a/oid/oid.go
+++ b/oid/oid.go
@@ -59,4 +59,3 @@ var (
 var (
 	CloudComputeInstanceIdentifier = []int{1, 3, 6, 1, 4, 1, 11129, 2, 1, 21}
 )
-