diff --git a/.github/workflows/golangci-lint.yml b/.github/workflows/golangci-lint.yml
index 4c8d66a..e4a6ca0 100644
--- a/.github/workflows/golangci-lint.yml
+++ b/.github/workflows/golangci-lint.yml
@@ -13,6 +13,6 @@ jobs:
           go-version: 1.24.x
       - uses: actions/checkout@v4
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@v6
+        uses: golangci/golangci-lint-action@v7
         with:
-          version: v1.64.6
+          version: v2.0.2
diff --git a/.golangci.yaml b/.golangci.yaml
index a8ad39d..579e22b 100644
--- a/.golangci.yaml
+++ b/.golangci.yaml
@@ -1,5 +1,24 @@
+version: "2"
 linters:
-  enable:
-    - gofmt
   disable:
     - errcheck
+  exclusions:
+    generated: lax
+    presets:
+      - comments
+      - common-false-positives
+      - legacy
+      - std-error-handling
+    paths:
+      - third_party$
+      - builtin$
+      - examples$
+formatters:
+  enable:
+    - gofmt
+  exclusions:
+    generated: lax
+    paths:
+      - third_party$
+      - builtin$
+      - examples$
diff --git a/attest/eventlog.go b/attest/eventlog.go
index 6547c70..40bdce9 100644
--- a/attest/eventlog.go
+++ b/attest/eventlog.go
@@ -27,9 +27,6 @@ import (
 	"sort"
 	"strings"
 
-	// Ensure hashes are available.
-	_ "crypto/sha256"
-
 	"github.com/google/go-tpm/legacy/tpm2"
 	"github.com/google/go-tpm/tpmutil"
 )
diff --git a/attest/tpm_other.go b/attest/tpm_other.go
index 8a8e7c1..715552e 100644
--- a/attest/tpm_other.go
+++ b/attest/tpm_other.go
@@ -27,6 +27,6 @@ func probeSystemTPMs() ([]probedTPM, error) {
 	return nil, errUnsupported
 }
 
-func openTPM(tpm probedTPM) (*TPM, error) {
+func openTPM(probedTPM) (*TPM, error) {
 	return nil, errUnsupported
 }
diff --git a/attest/win_events.go b/attest/win_events.go
index 28b2daf..9d45ec5 100644
--- a/attest/win_events.go
+++ b/attest/win_events.go
@@ -337,7 +337,7 @@ type microsoftEventHeader struct {
 // not handled. Unlike other events in the TCG log, it is safe to skip
 // unhandled SIPA events, as they are embedded within EventTag structures,
 // and these structures should match the event digest.
-var unknownSIPAEvent = errors.New("unknown event")
+var errUnknownSIPAEvent = errors.New("unknown event")
 
 func (w *WinEvents) readBooleanInt64Event(header microsoftEventHeader, r *bytes.Reader) error {
 	if header.Size != 8 {
@@ -783,7 +783,7 @@ func (w *WinEvents) readSIPAEvent(r *bytes.Reader, pcr int) error {
 			return fmt.Errorf("reading unknown data section of length %d: %w", header.Size, err)
 		}
 
-		return unknownSIPAEvent
+		return errUnknownSIPAEvent
 	}
 }
 
@@ -800,7 +800,7 @@ func (w *WinEvents) readWinEventBlock(evt *internal.TaggedEventData, pcr int) er
 
 	for r.Len() > 0 {
 		if err := w.readSIPAEvent(r, pcr); err != nil {
-			if errors.Is(err, unknownSIPAEvent) {
+			if errors.Is(err, errUnknownSIPAEvent) {
 				// Unknown SIPA events are okay as all TCG events are verifiable.
 				continue
 			}
diff --git a/attest/wrapped_tpm20.go b/attest/wrapped_tpm20.go
index 732ea09..b82e2a0 100644
--- a/attest/wrapped_tpm20.go
+++ b/attest/wrapped_tpm20.go
@@ -221,7 +221,7 @@ func (t *wrappedTPM20) eks() ([]EK, error) {
 
 	i, err := t.info()
 	if err != nil {
-		return nil, fmt.Errorf("Retrieving TPM info failed: %v", err)
+		return nil, fmt.Errorf("retrieving TPM info failed: %v", err)
 	}
 	ekPub := &rsa.PublicKey{
 		E: int(pub.RSAParameters.Exponent()),
diff --git a/attributecert/attributecert.go b/attributecert/attributecert.go
index b86b35f..7c1bcdf 100644
--- a/attributecert/attributecert.go
+++ b/attributecert/attributecert.go
@@ -447,13 +447,14 @@ type PlatformConfigurationV1 struct {
 }
 
 func unmarshalSAN(v asn1.RawValue) ([]pkix.AttributeTypeAndValue, error) {
-	if v.Tag == asn1.TagSet {
+	switch v.Tag {
+	case asn1.TagSet:
 		var e pkix.AttributeTypeAndValue
 		if _, err := asn1.Unmarshal(v.Bytes, &e); err != nil {
 			return nil, err
 		}
 		return []pkix.AttributeTypeAndValue{e}, nil
-	} else if v.Tag == asn1.TagOctetString {
+	case asn1.TagOctetString:
 		var attributes []pkix.AttributeTypeAndValue
 		var platformData PlatformDataSequence
 		rest, err := asn1.Unmarshal(v.Bytes, &platformData)
@@ -468,8 +469,9 @@ func unmarshalSAN(v asn1.RawValue) ([]pkix.AttributeTypeAndValue, error) {
 			}
 		}
 		return attributes, nil
+	default:
+		return nil, fmt.Errorf("attributecert: unexpected SAN type %v", v.Tag)
 	}
-	return nil, fmt.Errorf("attributecert: unexpected SAN type %v", v.Tag)
 }
 
 func parseAttributeCertificate(in *attributeCertificate) (*AttributeCertificate, error) {