This was set to fail on December 18th, which happens to be yesterday!

Signed-off-by: Dan Lorenc <lorenc.d@gmail.com>

* Upgraded go-playground/validator module to v10

Signed-off-by: Harry Fallows <harryfallows@protonmail.com>

* Manually re-added missing go.sum entry for module providing package github.com/dvyukov/go-fuzz/go-fuzz-dep

Signed-off-by: Harry Fallows <harryfallows@protonmail.com>

* WIP: new hashed type

Signed-off-by: Dan Lorenc <lorenc.d@gmail.com>

* wip add signature verification

Signed-off-by: Asra Ali <asraa@google.com>

* address bobs comments

Signed-off-by: Asra Ali <asraa@google.com>

Co-authored-by: Dan Lorenc <lorenc.d@gmail.com>

The CryptoPubKey function only returned the key value, but we should
retrieve it from the cert if set. This fixes the rest of #918.

Signed-off-by: Dan Lorenc <lorenc.d@gmail.com>

Signed-off-by: Asra Ali <asraa@google.com>

* update go tuf for rsa key impl

Signed-off-by: Asra Ali <asraa@google.com>

* fix

Signed-off-by: Asra Ali <asraa@google.com>

* Adds rekor TUF type

Co-authored-by: Santiago Torres <santiagotorres@purdue.edu>
Co-authored-by: Trishank Karthik Kuppusamy <trishank.kuppusamy@datadoghq.com>
Co-authored-by: Marina Moore <mnm678@gmail.com>
Signed-off-by: Asra Ali <asraa@google.com>

* add type documentation

Signed-off-by: Asra Ali <asraa@google.com>

* Address bob comments

Signed-off-by: Asra Ali <asraa@google.com>

* run make

Signed-off-by: Asra Ali <asraa@google.com>

* wip

Signed-off-by: Asra Ali <asraa@google.com>

* Address comments

Signed-off-by: Asra Ali <asraa@google.com>

Co-authored-by: Santiago Torres <santiagotorres@purdue.edu>
Co-authored-by: Trishank Karthik Kuppusamy <trishank.kuppusamy@datadoghq.com>
Co-authored-by: Marina Moore <mnm678@gmail.com>

* use an in memory timestamping key

Signed-off-by: Asra Ali <asraa@google.com>

* address comments

Signed-off-by: Asra Ali <asraa@google.com>

This commit adds a PATH lookup to the openSSH tests.
This prevents failing tests on systems with no ssh-keygen
in PATH.

Signed-off-by: Christian Rebischke <chris@shibumi.dev>

Previously we returned an HTTP 500 "error canonicalizing entry" error if
Rekor was unable to parse or verify the proposed content of a new log
entry. This adds a new error type ValidationError that allows
implementers of the Canonicalize method to delineate between internal,
transient errors and errors that clients can rectify.

With this patch, errors parsing or validating (provided or referenced)
artifacts will return an HTTP 400 message to the client with a message
about the issue.

Fixes: #362

Signed-off-by: Bob Callaway <bob.callaway@gmail.com>

* Refactor PKI factory and add type checking

This allows for more DRY addition of new PKI types, and stricter
type checking. This also allows for simpler enumeration of
supported PKI formats which will be used in further updates to
simplify the CLI codebase.

Signed-off-by: Bob Callaway <bob.callaway@gmail.com>

* revamp CLI flags; support different versions for upload

Signed-off-by: Bob Callaway <bob.callaway@gmail.com>

* Add Alpine Package type

This adds support for the alpine package format used by Alpine Linux,
which is the concatenation of three tgz files (signature, control data,
and then the actual package files).

Signed-off-by: Bob Callaway <bob.callaway@gmail.com>

* use shaFlag for --artifact-hash

Signed-off-by: Bob Callaway <bob.callaway@gmail.com>

* change arg type to PKIFormat

Signed-off-by: Bob Callaway <bob.callaway@gmail.com>

* defer type-specific validation logic to type code (instead of in CLI); also use CliLogger throughout CLI

Signed-off-by: Bob Callaway <bob.callaway@gmail.com>

* refactor factory code

Signed-off-by: Bob Callaway <bob.callaway@gmail.com>

* review comments

Signed-off-by: Bob Callaway <bob.callaway@gmail.com>

* Adopt new signing/verification APIs from sigstore

This uses the new APIs introduced in sigstore/sigstore/pkg/signature and
removes most of the calls directly to the golang crypto APIs.

Signed-off-by: Bob Callaway <bob.callaway@gmail.com>

This adds support for the alpine package format used by Alpine Linux,
which is the concatenation of three tgz files (signature, control data,
and then the actual package files).

Signed-off-by: Bob Callaway <bob.callaway@gmail.com>

Signed-off-by: Appu Goundan <appu@google.com>

* Add timestamps

Signed-off-by: Asra Ali <asraa@google.com>

* change

Signed-off-by: Asra Ali <asraa@google.com>

* address comments

Signed-off-by: Asra Ali <asraa@google.com>

* address comments

Signed-off-by: Asra Ali <asraa@google.com>

* fix binary writer

Signed-off-by: Asra Ali <asraa@google.com>

* add tsa

Signed-off-by: Asra Ali <asraa@google.com>

* distangle cert chain creation from new signer

Signed-off-by: Asra Ali <asraa@google.com>

* revert some now unncessary changes

Signed-off-by: Asra Ali <asraa@google.com>

* cert chain 404

Signed-off-by: Asra Ali <asraa@google.com>

* fix

Signed-off-by: Asra Ali <asraa@google.com>

Signed-off-by: Asra Ali <asraa@google.com>

Signed-off-by: Asra Ali <asraa@google.com>

* Add new type for JAR archives

This adds support for a new pluggable type that can extract signatures
from signed JAR files. Per the JAR spec, a special manifest file is
created with the digest hashes of all included content in the JAR file.
It is this special manifest file that is then signed, and included in a
file within the archive in PKCS7 format. The PKCS7 file also includes
the X509 certificate that can be used to verify the signed manifest file
inside of the JAR.

Signed-off-by: Bob Callaway <bob.callaway@gmail.com>

* update boilerplate header and apply go fmt

Signed-off-by: Carlos Panato <ctadeu@gmail.com>

* lints: fix golangci-lint issues

Signed-off-by: Carlos Panato <ctadeu@gmail.com>

* updated based on feedback

Signed-off-by: Carlos Panato <ctadeu@gmail.com>

The error was turning signature bytes into a string directly. We could
base64 encode it, but that's not terribly useful either.

Signed-off-by: Dan Lorenc <dlorenc@google.com>

Signed-off-by: Dan Lorenc <dlorenc@google.com>

All instances of projectrekor are now renamed to SigStore

This includes:

* Import paths
* Tests
* Readme's

Signed-off-by: Luke Hinds <lhinds@redhat.com>

saves second pass over data

Still need to add some more e2e-style tests that go through the ArtifactFactory flow.

* Add support for ed25519/signify/minisign keys and signatures

Signed-off-by: Bob Callaway <bcallawa@redhat.com>

* update & improve pgp unit tests

Without this, we miss the ---END block.

Some changes:
- import names (app -> api, logging -> log)
- Commands package (cmd -> app)