diff --git a/cli/command_policy_export.go b/cli/command_policy_export.go
index cf243ddda..6d0426174 100644
--- a/cli/command_policy_export.go
+++ b/cli/command_policy_export.go
@@ -3,6 +3,7 @@
 import (
 	"context"
 	"encoding/json"
+	stderrors "errors"
 	"fmt"
 	"io"
 	"os"
@@ -46,9 +47,10 @@ func (c *commandPolicyExport) run(ctx context.Context, rep repo.Repository) erro
 		return err
 	}
 
-	file, ok := output.(*os.File)
-	if ok {
-		defer file.Close() //nolint:errcheck
+	if file, ok := output.(*os.File); ok {
+		defer func() {
+			err = stderrors.Join(err, file.Close())
+		}()
 	}
 
 	policies := make(map[string]*policy.Policy)
diff --git a/internal/tlsutil/tlsutil.go b/internal/tlsutil/tlsutil.go
index 4e624d408..b7f1e69fe 100644
--- a/internal/tlsutil/tlsutil.go
+++ b/internal/tlsutil/tlsutil.go
@@ -11,6 +11,7 @@
 	"crypto/x509/pkix"
 	"encoding/hex"
 	"encoding/pem"
+	stderrors "errors"
 	"math/big"
 	"net"
 	"net/http"
@@ -86,12 +87,15 @@ func GenerateServerCertificate(ctx context.Context, keySize int, certValid time.
 }
 
 // WritePrivateKeyToFile writes the private key to a given file.
-func WritePrivateKeyToFile(fname string, priv *rsa.PrivateKey) error {
+func WritePrivateKeyToFile(fname string, priv *rsa.PrivateKey) (err error) {
 	f, err := os.OpenFile(fname, os.O_RDWR|os.O_CREATE|os.O_TRUNC, privateKeyFileMode) //nolint:gosec
 	if err != nil {
 		return errors.Wrap(err, "error opening private key file")
 	}
-	defer f.Close() //nolint:errcheck
+
+	defer func() {
+		err = stderrors.Join(err, f.Close())
+	}()
 
 	privBytes, err := x509.MarshalPKCS8PrivateKey(priv)
 	if err != nil {
@@ -106,12 +110,15 @@ func WritePrivateKeyToFile(fname string, priv *rsa.PrivateKey) error {
 }
 
 // WriteCertificateToFile writes the certificate to a given file.
-func WriteCertificateToFile(fname string, cert *x509.Certificate) error {
+func WriteCertificateToFile(fname string, cert *x509.Certificate) (err error) {
 	f, err := os.OpenFile(fname, os.O_RDWR|os.O_CREATE|os.O_TRUNC, certificateFileMode) //nolint:gosec
 	if err != nil {
 		return errors.Wrap(err, "error opening certificate file")
 	}
-	defer f.Close() //nolint:errcheck
+
+	defer func() {
+		err = stderrors.Join(err, f.Close())
+	}()
 
 	if err := pem.Encode(f, &pem.Block{Type: "CERTIFICATE", Bytes: cert.Raw}); err != nil {
 		return errors.Wrap(err, "Failed to write data")
diff --git a/snapshot/restore/local_fs_output.go b/snapshot/restore/local_fs_output.go
index 0fb940d90..1d43ba03b 100644
--- a/snapshot/restore/local_fs_output.go
+++ b/snapshot/restore/local_fs_output.go
@@ -2,6 +2,7 @@
 
 import (
 	"context"
+	stderrors "errors"
 	"io"
 	"os"
 	"path/filepath"
@@ -379,20 +380,21 @@ func (o *FilesystemOutput) createDirectory(ctx context.Context, path string) err
 	}
 }
 
-func write(targetPath string, r fs.Reader, size int64, flush bool, c streamCopier) error {
+func write(targetPath string, r fs.Reader, size int64, flush bool, c streamCopier) (err error) {
 	f, err := os.OpenFile(targetPath, os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0o600) //nolint:gosec,mnd
 	if err != nil {
 		return err //nolint:wrapcheck
 	}
 
+	defer func() {
+		// always close f and report close error
+		err = stderrors.Join(err, f.Close())
+	}()
+
 	if err := f.Truncate(size); err != nil {
 		return err //nolint:wrapcheck
 	}
 
-	// ensure we always close f. Note that this does not conflict with the
-	// close below, as close is idempotent.
-	defer f.Close() //nolint:errcheck
-
 	if _, err := c(f, r); err != nil {
 		return errors.Wrapf(err, "cannot write data to file %q", f.Name())
 	}
@@ -403,10 +405,6 @@ func write(targetPath string, r fs.Reader, size int64, flush bool, c streamCopie
 		}
 	}
 
-	if err := f.Close(); err != nil {
-		return err //nolint:wrapcheck
-	}
-
 	return nil
 }
 
diff --git a/tools/gettool/autodownload/autodownload.go b/tools/gettool/autodownload/autodownload.go
index 6fc7d4c46..f6f98a3f4 100644
--- a/tools/gettool/autodownload/autodownload.go
+++ b/tools/gettool/autodownload/autodownload.go
@@ -9,6 +9,7 @@
 	"compress/gzip"
 	"crypto/sha256"
 	"encoding/hex"
+	stderrors "errors"
 	"fmt"
 	"io"
 	"log"
@@ -23,7 +24,7 @@
 
 const dirMode = 0o750
 
-func createFile(target string, mode os.FileMode, modTime time.Time, src io.Reader) error {
+func createFile(target string, mode os.FileMode, modTime time.Time, src io.Reader) (err error) {
 	f, err := os.OpenFile(target, os.O_CREATE|os.O_WRONLY|os.O_TRUNC, mode) //nolint:gosec
 	if err != nil {
 		return errors.Wrap(err, "error creating file")
@@ -31,7 +32,9 @@ func createFile(target string, mode os.FileMode, modTime time.Time, src io.Reade
 
 	defer os.Chtimes(target, modTime, modTime) //nolint:errcheck
 
-	defer f.Close() //nolint:errcheck
+	defer func() {
+		err = stderrors.Join(err, f.Close())
+	}()
 
 	if _, err := io.Copy(f, src); err != nil {
 		return errors.Wrap(err, "error copying contents")