diff --git a/Makefile b/Makefile
index bdafe82b3..a67a295f0 100644
--- a/Makefile
+++ b/Makefile
@@ -102,14 +102,8 @@ spellcheck: # Spellcheck docs
 
 .PHONY: cover
 cover: ## Runs go test with coverage
-	@echo "" > coverage.txt
-	@for d in $(shell go list ./... | grep -v vendor); do \
-		$(GO) test -race -coverprofile=profile.out -covermode=atomic "$$d"; \
-		if [ -f profile.out ]; then \
-			cat profile.out >> coverage.txt; \
-			rm profile.out; \
-		fi; \
-	done;
+	@echo "==> $@"
+	$(GO) test -race -coverprofile=coverage.txt -tags "$(BUILDTAGS)" $(shell $(GO) list ./... | grep -v vendor | grep -v github.com/pomerium/pomerium/integration)
 
 .PHONY: clean
 clean: ## Cleanup any build binaries or packages.
diff --git a/authorize/evaluator/evaluator.go b/authorize/evaluator/evaluator.go
index 33405eccb..88bd0960d 100644
--- a/authorize/evaluator/evaluator.go
+++ b/authorize/evaluator/evaluator.go
@@ -224,27 +224,30 @@ func (e *Evaluator) JWTPayload(req *Request) map[string]interface{} {
 }
 
 func newSigner(options *config.Options) (jose.Signer, *jose.JSONWebKey, error) {
+	var decodedCert []byte
 	// if we don't have a signing key, generate one
 	if options.SigningKey == "" {
 		key, err := cryptutil.NewSigningKey()
 		if err != nil {
 			return nil, nil, fmt.Errorf("couldn't generate signing key: %w", err)
 		}
-		generatedKey, err := cryptutil.EncodePrivateKey(key)
+		decodedCert, err = cryptutil.EncodePrivateKey(key)
+		if err != nil {
+			return nil, nil, fmt.Errorf("bad signing key: %w", err)
+		}
+	} else {
+		var err error
+		decodedCert, err = base64.StdEncoding.DecodeString(options.SigningKey)
 		if err != nil {
 			return nil, nil, fmt.Errorf("bad signing key: %w", err)
 		}
-		options.SigningKey = base64.StdEncoding.EncodeToString(generatedKey)
 	}
-	if options.SigningKeyAlgorithm == "" {
-		options.SigningKeyAlgorithm = string(jose.ES256)
+	signingKeyAlgorithm := options.SigningKeyAlgorithm
+	if signingKeyAlgorithm == "" {
+		signingKeyAlgorithm = string(jose.ES256)
 	}
 
-	decodedCert, err := base64.StdEncoding.DecodeString(options.SigningKey)
-	if err != nil {
-		return nil, nil, fmt.Errorf("bad signing key: %w", err)
-	}
-	jwk, err := cryptutil.PrivateJWKFromBytes(decodedCert, jose.SignatureAlgorithm(options.SigningKeyAlgorithm))
+	jwk, err := cryptutil.PrivateJWKFromBytes(decodedCert, jose.SignatureAlgorithm(signingKeyAlgorithm))
 	if err != nil {
 		return nil, nil, fmt.Errorf("couldn't generate signing key: %w", err)
 	}
diff --git a/config/options_test.go b/config/options_test.go
index d8e87ac43..443eef528 100644
--- a/config/options_test.go
+++ b/config/options_test.go
@@ -212,7 +212,6 @@ func Test_Checksum(t *testing.T) {
 }
 
 func TestOptionsFromViper(t *testing.T) {
-	t.Parallel()
 	opts := []cmp.Option{
 		cmpopts.IgnoreFields(Options{}, "CookieSecret", "GRPCInsecure", "GRPCAddr", "DataBrokerURLString", "DataBrokerURL", "AuthorizeURL", "AuthorizeURLString", "DefaultUpstreamTimeout", "CookieExpire", "Services", "Addr", "RefreshCooldown", "LogLevel", "KeyFile", "CertFile", "SharedKey", "ReadTimeout", "IdleTimeout", "GRPCClientTimeout", "GRPCClientDNSRoundRobin", "TracingSampleRate"),
 		cmpopts.IgnoreFields(Policy{}, "Source", "Destination"),
diff --git a/internal/tcptunnel/tcptunnel.go b/internal/tcptunnel/tcptunnel.go
index e00f18252..b4919f9e8 100644
--- a/internal/tcptunnel/tcptunnel.go
+++ b/internal/tcptunnel/tcptunnel.go
@@ -196,8 +196,9 @@ func (tun *Tunnel) run(ctx context.Context, local io.ReadWriter, rawJWT string,
 		_, err := io.Copy(remote, local)
 		errc <- err
 	}()
+	remoteReader := deBuffer(br, remote)
 	go func() {
-		_, err := io.Copy(local, deBuffer(br, remote))
+		_, err := io.Copy(local, remoteReader)
 		errc <- err
 	}()
 
diff --git a/pkg/grpc/client_test.go b/pkg/grpc/client_test.go
index a01b3b773..856cd0be3 100644
--- a/pkg/grpc/client_test.go
+++ b/pkg/grpc/client_test.go
@@ -91,7 +91,7 @@ func TestGetGRPC(t *testing.T) {
 		return
 	}
 
-	assert.Equal(t, cc1, cc2, "GetGRPCClientConn should return the same connection when there are no changes")
+	assert.Same(t, cc1, cc2, "GetGRPCClientConn should return the same connection when there are no changes")
 
 	cc3, err := GetGRPCClientConn("example", &Options{
 		Addr:         mustParseURL("http://localhost.example"),
@@ -101,7 +101,7 @@ func TestGetGRPC(t *testing.T) {
 		return
 	}
 
-	assert.NotEqual(t, cc1, cc3, "GetGRPCClientConn should return a new connection when there are changes")
+	assert.NotSame(t, cc1, cc3, "GetGRPCClientConn should return a new connection when there are changes")
 }
 
 func mustParseURL(rawurl string) *url.URL {