This also adds the ko targets for building them, and entries
to tools.go so go.mod recognizes these dependencies so we can build
them with ko.

Signed-off-by: Dan Lorenc <lorenc.d@gmail.com>

This should validate that the current version of Rekor works against the
newest version of Trillian in CI.

Signed-off-by: Dan Lorenc <lorenc.d@gmail.com>

* Refactor PKI factory and add type checking

This allows for more DRY addition of new PKI types, and stricter
type checking. This also allows for simpler enumeration of
supported PKI formats which will be used in further updates to
simplify the CLI codebase.

Signed-off-by: Bob Callaway <bob.callaway@gmail.com>

* revamp CLI flags; support different versions for upload

Signed-off-by: Bob Callaway <bob.callaway@gmail.com>

* Add Alpine Package type

This adds support for the alpine package format used by Alpine Linux,
which is the concatenation of three tgz files (signature, control data,
and then the actual package files).

Signed-off-by: Bob Callaway <bob.callaway@gmail.com>

* use shaFlag for --artifact-hash

Signed-off-by: Bob Callaway <bob.callaway@gmail.com>

* change arg type to PKIFormat

Signed-off-by: Bob Callaway <bob.callaway@gmail.com>

* defer type-specific validation logic to type code (instead of in CLI); also use CliLogger throughout CLI

Signed-off-by: Bob Callaway <bob.callaway@gmail.com>

* refactor factory code

Signed-off-by: Bob Callaway <bob.callaway@gmail.com>

* review comments

Signed-off-by: Bob Callaway <bob.callaway@gmail.com>

Signed-off-by: Dan Lorenc <dlorenc@google.com>

This adds an "Attestation" method to the entry interface. Entries can
return an attestation that they would like to store.

The attestations are currently stored in GCS, but it supports any blob store.
The feature is turned off with a flag, and we can set a max size as well.

Signed-off-by: Dan Lorenc <dlorenc@google.com>

Switch away from using rpc_endpoint=8091 and back to 8090 which is trillian_log_server's default.
This simplifies the commands to start trillian log_server, reducing it down to:
trillian_log_server --logtostderr ...
and avoids diverging from upstream when there is no need.

This change also updates the corresponding docker-compose and k8s configs.

Signed-off-by: axelsimon <github@axelsimon.net>

* Update trillian dependency to master

This removes calls to the trillian verifier and replaces them with calls to a new rekor verify package!
The `verify` package currently only verifies the signed log root.

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

* Fix lint

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

* Add verifier back in and update trillian images

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

* Make verify private

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

* Address code review comments

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

* Roll back to trillian v1.3.13

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

* Pin trillian to latest commit

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

* Add signing package for signing within rekor

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

* Remove public key from trillian and add in TODO for getting public key from Signer

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

* Create signer flag and store signer in api struct

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

* Remove public key from tlog in API, replace with a new pubkey tag

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

* Make sure we can get the public key locally

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

* Fix build error

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

* Reuse cosign implementation of signing interface

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

* fix lint

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

* Add in-memory signer, store unmarshaled public key in api

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

* Temporarily skip the log_info test, since we are now getting the public key from rekor and not trillian

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

* Replace cosign import with sigstore

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

* Add unit test for memory signer

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

* Remove unnecessary code

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

* skip test

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

* Sign the signature for the signed log root ourselves

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

* Include memory as a signer option for signer flag, make memory default

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

* update boilerplate header and apply go fmt

Signed-off-by: Carlos Panato <ctadeu@gmail.com>

* lints: fix golangci-lint issues

Signed-off-by: Carlos Panato <ctadeu@gmail.com>

* updated based on feedback

Signed-off-by: Carlos Panato <ctadeu@gmail.com>

This was triggering some internal security scans we have, everything still works
with it only exposed locally.

Signed-off-by: Dan Lorenc <dlorenc@google.com>

Signed-off-by: Dan Lorenc <dlorenc@google.com>

Update version of docker-compose.yml

start_period in healthcheck and target in build are properties that are not supported for docker-compose versions <3.4. This change fixes this issue.

Signed-off-by: Efe Barlas <ebarlas@purdue.edu>

In our CI environment there is an artifical delay in between starting
the Rekor services via docker-compose and when the E2E tests are
actually executed due to Go modules being downloaded. In a local
development environment, the download may not be required so the tests
can start before the docker-compose services are actually running.

This introduces a healthcheck for services (where possible), and blocks
the start of the e2e tests until the services are reporting as healthy.
It also forces the use of an empty homedir and rekor config file to
ensure no collision between the tests and the developer's environment.

Fixes #183

Signed-off-by: Bob Callaway <bcallawa@redhat.com>

This just exposes the default go metrics for now. We can use middleware to expose
more custom metrics for our API.

This is only toggled on for the server right now.

Signed-off-by: Bob Callaway <bcallawa@redhat.com>

Signed-off-by: Bob Callaway <bcallawa@redhat.com>

Co-authored-by: Dan Lorenc <dlorenc@google.com>

Signed-off-by: Bob Callaway <bcallawa@redhat.com>

This allows us to skip sticking it onto each request context and retrieving it.

Signed-off-by: Dan Lorenc <dlorenc@google.com>

Some changes:
- import names (app -> api, logging -> log)
- Commands package (cmd -> app)