Signed-off-by: Carlos Panato <ctadeu@gmail.com>

Signed-off-by: Bob Callaway <bob.callaway@gmail.com>

Signed-off-by: Asra Ali <asraa@google.com>

Signed-off-by: Appu Goundan <appu@google.com>

Bumps [github.com/spf13/viper](https://github.com/spf13/viper) from 1.7.1 to 1.8.0.
- [Release notes](https://github.com/spf13/viper/releases)
- [Commits](https://github.com/spf13/viper/compare/v1.7.1...v1.8.0

)

---
updated-dependencies:
- dependency-name: github.com/spf13/viper
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Signed-off-by: Appu Goundan <appu@google.com>

Signed-off-by: Bob Callaway <bob.callaway@gmail.com>

Signed-off-by: Dan Lorenc <dlorenc@google.com>

Bumps [github.com/prometheus/client_golang](https://github.com/prometheus/client_golang) from 1.10.0 to 1.11.0.
- [Release notes](https://github.com/prometheus/client_golang/releases)
- [Changelog](https://github.com/prometheus/client_golang/blob/master/CHANGELOG.md)
- [Commits](https://github.com/prometheus/client_golang/compare/v1.10.0...v1.11.0

)

---
updated-dependencies:
- dependency-name: github.com/prometheus/client_golang
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Convert STH to checkpoint format

This switches away from sending the (now deprecated) Trillian LogRootV1
format over to the checkpoint format documented at
https://github.com/google/trillian-examples/tree/master/formats/log



Fixes: #313

Signed-off-by: Bob Callaway <bob.callaway@gmail.com>

Signed-off-by: Dan Lorenc <dlorenc@google.com>

This adds an "Attestation" method to the entry interface. Entries can
return an attestation that they would like to store.

The attestations are currently stored in GCS, but it supports any blob store.
The feature is turned off with a flag, and we can set a max size as well.

Signed-off-by: Dan Lorenc <dlorenc@google.com>

Bumps [github.com/go-openapi/runtime](https://github.com/go-openapi/runtime) from 0.19.28 to 0.19.29.
- [Release notes](https://github.com/go-openapi/runtime/releases)
- [Commits](https://github.com/go-openapi/runtime/compare/v0.19.28...v0.19.29

)

---
updated-dependencies:
- dependency-name: github.com/go-openapi/runtime
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps golang from 1.16.4 to 1.16.5.

---
updated-dependencies:
- dependency-name: golang
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Signed-off-by: Dan Lorenc <dlorenc@google.com>

This uses a custom fork of in-toto-golang because not all the changes are merged
in one place.

Signed-off-by: Dan Lorenc <dlorenc@google.com>

This saves an if err != nil... check.

Signed-off-by: Dan Lorenc <dlorenc@google.com>

Bumps [go.uber.org/zap](https://github.com/uber-go/zap) from 1.16.0 to 1.17.0.
- [Release notes](https://github.com/uber-go/zap/releases)
- [Changelog](https://github.com/uber-go/zap/blob/master/CHANGELOG.md)
- [Commits](https://github.com/uber-go/zap/compare/v1.16.0...v1.17.0

)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Add timestamps

Signed-off-by: Asra Ali <asraa@google.com>

* change

Signed-off-by: Asra Ali <asraa@google.com>

* address comments

Signed-off-by: Asra Ali <asraa@google.com>

* address comments

Signed-off-by: Asra Ali <asraa@google.com>

* fix binary writer

Signed-off-by: Asra Ali <asraa@google.com>

* add tsa

Signed-off-by: Asra Ali <asraa@google.com>

* distangle cert chain creation from new signer

Signed-off-by: Asra Ali <asraa@google.com>

* revert some now unncessary changes

Signed-off-by: Asra Ali <asraa@google.com>

* cert chain 404

Signed-off-by: Asra Ali <asraa@google.com>

* fix

Signed-off-by: Asra Ali <asraa@google.com>

Switch away from using rpc_endpoint=8091 and back to 8090 which is trillian_log_server's default.
This simplifies the commands to start trillian log_server, reducing it down to:
trillian_log_server --logtostderr ...
and avoids diverging from upstream when there is no need.

This change also updates the corresponding docker-compose and k8s configs.

Signed-off-by: axelsimon <github@axelsimon.net>

Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.37.1 to 1.38.0.
- [Release notes](https://github.com/grpc/grpc-go/releases)
- [Commits](https://github.com/grpc/grpc-go/compare/v1.37.1...v1.38.0

)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [gocloud.dev](https://github.com/google/go-cloud) from 0.22.0 to 0.23.0.
- [Release notes](https://github.com/google/go-cloud/releases)
- [Commits](https://github.com/google/go-cloud/compare/v0.22.0...v0.23.0

)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Add Log ID into SET verification step

This also causes the upload command to return a non-zero error code
because of a verification failure.

Fixes #308

Signed-off-by: Bob Callaway <bob.callaway@gmail.com>

* since this is only done on upload, we can assume it is set

Signed-off-by: Bob Callaway <bob.callaway@gmail.com>

* Add version subcommands to rekor-cli & rekor-server

Signed-off-by: Bob Callaway <bob.callaway@gmail.com>

* Add version info to docker build & print at startup

This ensures the build ldflags are applied as part of the docker build
process (for docker-compose and ko).

This also prints the version information of the running server to the
logs upon server startup.

Signed-off-by: Bob Callaway <bob.callaway@gmail.com>

As we have moved away from the rekor.dev domain, switching over to
rekor.sigstore.dev for the public instance. api.sigstore.dev still works
as an alias.

Fixes #305

Signed-off-by: Bob Callaway <bob.callaway@gmail.com>

Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.37.0 to 1.37.1.
- [Release notes](https://github.com/grpc/grpc-go/releases)
- [Commits](https://github.com/grpc/grpc-go/compare/v1.37.0...v1.37.1

)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [actions/checkout](https://github.com/actions/checkout) from 2 to 2.3.4.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v2...v2.3.4

)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps golang from 1.16.3 to 1.16.4.

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Add Log ID to LogEntry field

Since the signed entry timestamp (SET) will be able to prove insertion into the log, adding the log ID (aka public key SHA256 hash) makes it easier to know which log the entry came from. 

Signed-off-by: Bob Callaway <bob.callaway@gmail.com>

* GetLogByIndexHandler returns 404 for missing index

GRPC return codes have changed after switching the Trillian GRPC calls
due to recent changes; therefore we need to adapt for InvalidArgument
which should be returned as a 404 Not Found error to callers.

Fixes #296

Signed-off-by: Bob Callaway <bob.callaway@gmail.com>

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

* Add sha256 prefix to index keys for artifact hashes

This change adds the `sha256:` prefix to index values that are created to simplify searching the transparency log for artifacts. In case we shift to using a different hashing algorithm in the future, this will provide a way to specify it.

Fixes #289

Signed-off-by: Bob Callaway <bob.callaway@gmail.com>

* Add signature to LogEntry for offline verification

Also add an integration test for this.

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

* Address code review comments:
- Canonicalize payload before signing it
- Change name of signature to signedEntryTimestamp
- move signedEntryTimestamp and inclusionProof into separate Verification field in LogEntry

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

* Create helper func for extracting log entry

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

* Add info around verifying signedEntryTimestamp as comments in openapi.yaml

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

* Generalize verification instructions

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

This is required when uploading jars by URL.

Signed-off-by: Dan Lorenc <dlorenc@google.com>

Signed-off-by: Asra Ali <asraa@google.com>

Signed-off-by: Asra Ali <asraa@google.com>

Bumps [github.com/go-openapi/runtime](https://github.com/go-openapi/runtime) from 0.19.27 to 0.19.28.
- [Release notes](https://github.com/go-openapi/runtime/releases)
- [Commits](https://github.com/go-openapi/runtime/compare/v0.19.27...v0.19.28

)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Improve code sharing in pluggable type support

This patch removes some of the duplicate logic from specific type implementations and moves it into the base design which hopefully makes writing pluggable types a bit easier.

Signed-off-by: Bob Callaway <bob.callaway@gmail.com>

* Update trillian dependency to master

This removes calls to the trillian verifier and replaces them with calls to a new rekor verify package!
The `verify` package currently only verifies the signed log root.

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

* Fix lint

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

* Add verifier back in and update trillian images

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

* Make verify private

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

* Address code review comments

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

* Roll back to trillian v1.3.13

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

* Pin trillian to latest commit

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

* Add new type for JAR archives

This adds support for a new pluggable type that can extract signatures
from signed JAR files. Per the JAR spec, a special manifest file is
created with the digest hashes of all included content in the JAR file.
It is this special manifest file that is then signed, and included in a
file within the archive in PKCS7 format. The PKCS7 file also includes
the X509 certificate that can be used to verify the signed manifest file
inside of the JAR.

Signed-off-by: Bob Callaway <bob.callaway@gmail.com>