We were previously stripping off the keyid/algorithm identifiers in minisign public keys.
These should be included in here to properly canonicalize/reconstruct the keys for verification.

Signed-off-by: Dan Lorenc <lorenc.d@gmail.com>

A lot of these only support one key type, so we don't need to go through
the map.

Signed-off-by: Dan Lorenc <lorenc.d@gmail.com>

Signed-off-by: Dan Lorenc <lorenc.d@gmail.com>

This is part of a larger series to reduce intermediate state on each rekord type.

Signed-off-by: Dan Lorenc <lorenc.d@gmail.com>

This was duplicated across the unit tests for all of our types, moved it
up to the top-level package.

Signed-off-by: Dan Lorenc <lorenc.d@gmail.com>

We were catching these inside the IndexKeys function calls and logging, this
change moves that up to the caller. This is much more standard and simplifies the
implementations.

Signed-off-by: Dan Lorenc <lorenc.d@gmail.com>

This got copy-pasta-ed a bit as we added a lot of new types. I refactored
this out so we have the logic only once.

Signed-off-by: Dan Lorenc <lorenc.d@gmail.com>

This didn't appear to actually be useful on any of our types - we also
check the actual fields that need to be hydrated directly.

Signed-off-by: Dan Lorenc <lorenc.d@gmail.com>

This was set to fail on December 18th, which happens to be yesterday!

Signed-off-by: Dan Lorenc <lorenc.d@gmail.com>

* rename ecosystem to origin

Signed-off-by: Asra Ali <asraa@google.com>

* update comments

Signed-off-by: Asra Ali <asraa@google.com>

* Bump google.golang.org/grpc from 1.42.0 to 1.43.0

Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.42.0 to 1.43.0.
- [Release notes](https://github.com/grpc/grpc-go/releases)
- [Commits](https://github.com/grpc/grpc-go/compare/v1.42.0...v1.43.0

)

---
updated-dependencies:
- dependency-name: google.golang.org/grpc
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* replace grpc.WithInsecure() with insecure.NewCredentials()

Signed-off-by: Carlos Panato <ctadeu@gmail.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Carlos Panato <ctadeu@gmail.com>

* Delete INSTALLATION.md

Signed-off-by: Edoardo Tenani <edoardo.tenani@pm.me>

* Delete release-verify.md

Signed-off-by: Edoardo Tenani <edoardo.tenani@pm.me>

* Update README.md

Signed-off-by: Edoardo Tenani <edoardo.tenani@pm.me>

* Update README.md

Signed-off-by: Edoardo Tenani <edoardo.tenani@pm.me>

* Apply suggestions from code review

Co-authored-by: Bob Callaway <bobcallaway@users.noreply.github.com>
Signed-off-by: Edoardo Tenani <edoardo.tenani@pm.me>

Co-authored-by: Bob Callaway <bobcallaway@users.noreply.github.com>

This included some manual changes because of the interface changes.

Signed-off-by: Dan Lorenc <lorenc.d@gmail.com>

Signed-off-by: Asra Ali <asraa@google.com>

* ensure that the test HTTP handlers are called

Signed-off-by: Jake Sanders <jsand@google.com>

* parallelize HTTP server dependent tests

Signed-off-by: Jake Sanders <jsand@google.com>

Signed-off-by: Jake Sanders <jsand@google.com>

* Upgraded go-playground/validator module to v10

Signed-off-by: Harry Fallows <harryfallows@protonmail.com>

* Manually re-added missing go.sum entry for module providing package github.com/dvyukov/go-fuzz/go-fuzz-dep

Signed-off-by: Harry Fallows <harryfallows@protonmail.com>

Signed-off-by: Asra Ali <asraa@google.com>

I had to change a few package imports to deal with upstream refactoring.

Signed-off-by: Dan Lorenc <lorenc.d@gmail.com>

Signed-off-by: Asra Ali <asraa@google.com>

* WIP: new hashed type

Signed-off-by: Dan Lorenc <lorenc.d@gmail.com>

* wip add signature verification

Signed-off-by: Asra Ali <asraa@google.com>

* address bobs comments

Signed-off-by: Asra Ali <asraa@google.com>

Co-authored-by: Dan Lorenc <lorenc.d@gmail.com>

Adds the ability to search for indicies with sha1 hashes. Currently
rekor custom types can store indices with formats other than
sha256:<hash>.  Particularly the in-toto type can do this.

One particular use case of interest is indexing log entries by git
commit hash, which largely still use sha1.

Signed-off-by: Mikhail Swift <mswift@mswift.dev>

Signed-off-by: Lily Sturmann <lsturman@redhat.com>

Signed-off-by: Andrew Block <andy.block@gmail.com>

Signed-off-by: Jason Hall <jasonhall@redhat.com>

Signed-off-by: Bob Callaway <bob.callaway@gmail.com>

The CryptoPubKey function only returned the key value, but we should
retrieve it from the cert if set. This fixes the rest of #918.

Signed-off-by: Dan Lorenc <lorenc.d@gmail.com>

Signed-off-by: Asra Ali <asraa@google.com>

* update go tuf for rsa key impl

Signed-off-by: Asra Ali <asraa@google.com>

* fix

Signed-off-by: Asra Ali <asraa@google.com>

Each of the supported types has a Canonicalize() method that generates a
JSON representation of the entry. If the golang library were to make a
change to the order of keys when marshalling an object, it would cause
a duplicate entry in the log for a semantically equivalent object.

This change simply transforms the JSON into RFC8785-compliant
canonicalized JSON protecting against any changes in JSON libraries
going forward.

Signed-off-by: Bob Callaway <bob.callaway@gmail.com>

1. Switch DSSE provider to go-securesystemslib
2. Update in-toto and use newly renamed SLSA provenance predicate

Signed-off-by: Aditya Sirish <aditya@saky.in>

This is in preparation for supporting multiple logIDs (for sharding).

Signed-off-by: Dan Lorenc <dlorenc@google.com>

We get flooded with scapers so it makes it hard to find real errors in our logs.

Signed-off-by: Dan Lorenc <dlorenc@google.com>

Signed-off-by: Bob Callaway <bob.callaway@gmail.com>

* Adds rekor TUF type

Co-authored-by: Santiago Torres <santiagotorres@purdue.edu>
Co-authored-by: Trishank Karthik Kuppusamy <trishank.kuppusamy@datadoghq.com>
Co-authored-by: Marina Moore <mnm678@gmail.com>
Signed-off-by: Asra Ali <asraa@google.com>

* add type documentation

Signed-off-by: Asra Ali <asraa@google.com>

* Address bob comments

Signed-off-by: Asra Ali <asraa@google.com>

* run make

Signed-off-by: Asra Ali <asraa@google.com>

* wip

Signed-off-by: Asra Ali <asraa@google.com>

* Address comments

Signed-off-by: Asra Ali <asraa@google.com>

Co-authored-by: Santiago Torres <santiagotorres@purdue.edu>
Co-authored-by: Trishank Karthik Kuppusamy <trishank.kuppusamy@datadoghq.com>
Co-authored-by: Marina Moore <mnm678@gmail.com>

Signed-off-by: Asra Ali <asraa@google.com>

* use an in memory timestamping key

Signed-off-by: Asra Ali <asraa@google.com>

* address comments

Signed-off-by: Asra Ali <asraa@google.com>

* just commit timestampnote

Signed-off-by: Asra Ali <asraa@google.com>

* add signed timestamp note

Signed-off-by: Asra Ali <asraa@google.com>

* address validating sha comment

Signed-off-by: Asra Ali <asraa@google.com>

Signed-off-by: Carlos Panato <ctadeu@gmail.com>

Signed-off-by: Bob Callaway <bob.callaway@gmail.com>