* Add new type for JAR archives

This adds support for a new pluggable type that can extract signatures
from signed JAR files. Per the JAR spec, a special manifest file is
created with the digest hashes of all included content in the JAR file.
It is this special manifest file that is then signed, and included in a
file within the archive in PKCS7 format. The PKCS7 file also includes
the X509 certificate that can be used to verify the signed manifest file
inside of the JAR.

Signed-off-by: Bob Callaway <bob.callaway@gmail.com>

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

* Add signing package for signing within rekor

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

* Remove public key from trillian and add in TODO for getting public key from Signer

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

* Create signer flag and store signer in api struct

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

* Remove public key from tlog in API, replace with a new pubkey tag

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

* Make sure we can get the public key locally

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

* Fix build error

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

* Reuse cosign implementation of signing interface

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

* fix lint

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

* Add in-memory signer, store unmarshaled public key in api

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

* Temporarily skip the log_info test, since we are now getting the public key from rekor and not trillian

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

* Replace cosign import with sigstore

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

* Add unit test for memory signer

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

* Remove unnecessary code

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

* skip test

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

* Sign the signature for the signed log root ourselves

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

* Include memory as a signer option for signer flag, make memory default

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

Bumps [golangci/golangci-lint-action](https://github.com/golangci/golangci-lint-action) from v2 to v2.5.2.
- [Release notes](https://github.com/golangci/golangci-lint-action/releases)
- [Commits](https://github.com/golangci/golangci-lint-action/compare/v2...5c56cd6c9dc07901af25baab6f2b0d9f3b7c3018

)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* update boilerplate header and apply go fmt

Signed-off-by: Carlos Panato <ctadeu@gmail.com>

* lints: fix golangci-lint issues

Signed-off-by: Carlos Panato <ctadeu@gmail.com>

* updated based on feedback

Signed-off-by: Carlos Panato <ctadeu@gmail.com>

CODEOWNERS file maps to a GitHub teams group and allows a simple
means of repository maitainance.

This file can later be extended to include other special interest
groups such as docs

Signed-off-by: Luke Hinds <lhinds@redhat.com>

Revert "[api] Add max 32 mb on content data"

Signed-off-by: Asra Ali <asraa@google.com>

[api] Add max 32 mb on content data

Signed-off-by: Asra Ali <asraa@google.com>

Drop signature verification in rekor server.

This is changing as part of the general trillian signature changes.
The trust model is still client -> database, our server trusts our
database so we can pass signed messages on directly to users without
double verification.

Signed-off-by: Dan Lorenc <dlorenc@google.com>

This patch removes the /api/v1/log/entries/{uuid}/proof endpoint. If you
have the UUID (aka the leaf Merkle hash), you likely want proof that the
content represented by that hash is included in the log. There's no need
for a separate /proof endpoint to deliver the same content.

This commit also ensures that the getLogEntryByIndex and
getLogEntryByUUID endpoints return an inclusion proof as part of their
response content. The search endpoint also now returns the inclusion
proof of all entries returned from the query.

With this patch, Rekor no longer uses the deprecated `GetLeavesByHash`
Trillian API.

Fixes #229

Signed-off-by: Bob Callaway <bob.callaway@gmail.com>

Bump google.golang.org/grpc from 1.36.1 to 1.37.0

Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.36.1 to 1.37.0.
- [Release notes](https://github.com/grpc/grpc-go/releases)
- [Commits](https://github.com/grpc/grpc-go/compare/v1.36.1...v1.37.0

)

Signed-off-by: dependabot[bot] <support@github.com>

rekor-cli: Pretty print for get cmd

Signed-off-by: Dan Lorenc <dlorenc@google.com>

rekor-cli: logproof -last-size default fix

I will perform a 'lazy consensus' and self-merge this is not
approved by 07/05/2021

The idea is to point to one file in community where we can
add to the security handling process without updating all repos.

Signed-off-by: Luke Hinds <lhinds@redhat.com>

Bumps [golangci/golangci-lint-action](https://github.com/golangci/golangci-lint-action) from v2.5.1 to v2.5.2.
- [Release notes](https://github.com/golangci/golangci-lint-action/releases)
- [Commits](https://github.com/golangci/golangci-lint-action/compare/v2.5.1...5c56cd6c9dc07901af25baab6f2b0d9f3b7c3018

)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Signed-off-by: Bob Callaway <bob.callaway@gmail.com>

Signed-off-by: Ahmet Alp Balkan <ahmetb@google.com>

* fail build if diff exists

Right now the build tries to detect mismatches between what is in the change versus any changes actually occurred from a clean rebuild (e.g. missed checking in any updates to generated code). However if those are present, the build logs print that out but do not cause the build to fail.

Also bumps GOVERSION to match what is used in Dockerfile so we don't have go.mod or go.sum as a reason for above.

Signed-off-by: Bob Callaway <bob.callaway@gmail.com>

Bumps golang from 1.16.2 to 1.16.3.

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [github.com/go-openapi/swag](https://github.com/go-openapi/swag) from 0.19.14 to 0.19.15.
- [Release notes](https://github.com/go-openapi/swag/releases)
- [Commits](https://github.com/go-openapi/swag/compare/v0.19.14...v0.19.15

)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Signed-off-by: Bob Callaway <bcallawa@redhat.com>

-last-size is defaulting to 1, but fixing it to 0 so we can properly error out
if it's unspecified.

Signed-off-by: Ahmet Alp Balkan <ahmetb@google.com>

Otherwise prints []byte contents which are not quite usable.

Signed-off-by: Ahmet Alp Balkan <ahmetb@google.com>

Bump github.com/go-openapi/strfmt from 0.20.0 to 0.20.1

Bumps [github.com/go-openapi/strfmt](https://github.com/go-openapi/strfmt) from 0.20.0 to 0.20.1.
- [Release notes](https://github.com/go-openapi/strfmt/releases)
- [Commits](https://github.com/go-openapi/strfmt/compare/v0.20.0...v0.20.1

)

Signed-off-by: dependabot[bot] <support@github.com>

Stop exposing the redis server port on the host.

This was triggering some internal security scans we have, everything still works
with it only exposed locally.

Signed-off-by: Dan Lorenc <dlorenc@google.com>

The error was turning signature bytes into a string directly. We could
base64 encode it, but that's not terribly useful either.

Signed-off-by: Dan Lorenc <dlorenc@google.com>

Fix a few more paths I was missing in the first folder move.

Signed-off-by: Dan Lorenc <dlorenc@google.com>

Rename the directories for rekor-cli and rekor-server.

This makes the binaries "go installable" by their canonical names.

Signed-off-by: Dan Lorenc <dlorenc@google.com>

Drop the replace that was pinning grpc.

This isn't needed and prevents "go install" from working.

Signed-off-by: Dan Lorenc <dlorenc@google.com>

Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.36.0 to 1.36.1.
- [Release notes](https://github.com/grpc/grpc-go/releases)
- [Commits](https://github.com/grpc/grpc-go/compare/v1.36.0...v1.36.1

)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>