* cleanup makefile with generated code; cleanup unused files

Signed-off-by: Bob Callaway <bcallaway@google.com>

* sort find output to ensure consistent ordering

Signed-off-by: Bob Callaway <bcallaway@google.com>

* force dictionary order

Signed-off-by: Bob Callaway <bcallaway@google.com>

* add comment at top of Makefile.swagger

Signed-off-by: Bob Callaway <bcallaway@google.com>

Signed-off-by: Priya Wadhwa <priya@chainguard.dev>

Currently only two Rekor pluggable types support the storage of
attestations (intoto, cose); the previous code to fetch
attestations was type-agnostic, but due to the fix #878 the
server was doing unnecessary lookups for all types, regardless
of whether they store attestation content or not.

This makes the attestation storage an explict interface, which
we can test casting for and avoid a roundtrip to the storage
layer for types that don't support storing attestations.

Signed-off-by: Bob Callaway <bcallaway@google.com>

* Bump github.com/theupdateframework/go-tuf from 0.3.0 to 0.3.1

Bumps [github.com/theupdateframework/go-tuf](https://github.com/theupdateframework/go-tuf) from 0.3.0 to 0.3.1.
- [Release notes](https://github.com/theupdateframework/go-tuf/releases)
- [Commits](https://github.com/theupdateframework/go-tuf/compare/v0.3.0...v0.3.1

)

---
updated-dependencies:
- dependency-name: github.com/theupdateframework/go-tuf
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

* update error

Signed-off-by: Asra Ali <asraa@google.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Asra Ali <asraa@google.com>

Signed-off-by: Bob Callaway <bcallaway@google.com>

* Check inactive shards for UUID for /retrieve endpoint

Signed-off-by: Priya Wadhwa <priya@chainguard.dev>

* Address code review comments

Signed-off-by: Priya Wadhwa <priya@chainguard.dev>

We should use the release versions rather than the commits on `main` to
let dependabot update it automatically.

Signed-off-by: Sascha Grunert <sgrunert@redhat.com>

Signed-off-by: Romain Aviolat <r.aviolat@gmail.com>

* Bump sigstore/cosign-installer from 2.4.0 to 2.4.1

Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 2.4.0 to 2.4.1.
- [Release notes](https://github.com/sigstore/cosign-installer/releases)
- [Commits](https://github.com/sigstore/cosign-installer/compare/7e0881f8fe90b25e305bbf0309761e9314607e25...48866aa521d8bf870604709cd43ec2f602d03ff2

)

---
updated-dependencies:
- dependency-name: sigstore/cosign-installer
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

* update version comment

Signed-off-by: cpanato <ctadeu@gmail.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: cpanato <ctadeu@gmail.com>

* feat: add subject URIs to index for x509 certificates

Signed-off-by: Asra Ali <asraa@google.com>

* fix comments

Signed-off-by: Asra Ali <asraa@google.com>

* fix lint

Signed-off-by: Asra Ali <asraa@google.com>

* Address another bob comment

Signed-off-by: Asra Ali <asraa@google.com>

Signed-off-by: cpanato <ctadeu@gmail.com>

Signed-off-by: Priya Wadhwa <priya@chainguard.dev>

* Fix intoto index keys

Ensure we include all appropriate index keys including:
- entire DSSE envelope SHA256 digest
- envelope (base64 decoded) SHA256 digest
- entire X509 signing certificate
- any relevant keys extracted from X509 signing certificate

Fixes: #872

Signed-off-by: Bob Callaway <bcallaway@google.com>

* consistently decode payload

Signed-off-by: Bob Callaway <bcallaway@google.com>

* rework error flows to be non-fatal

Signed-off-by: Bob Callaway <bcallaway@google.com>

* use canonicalized key, consistent sprintf

Signed-off-by: Bob Callaway <bcallaway@google.com>

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.14 to 2.1.15.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/41a4ada31ba866a7f1196b9602703a89edd69e22...3f62b754e23e0dd60f91b744033e1dc1654c0ec6

)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Bump ossf/scorecard-action from 1.1.1 to 1.1.2

Bumps [ossf/scorecard-action](https://github.com/ossf/scorecard-action) from 1.1.1 to 1.1.2.
- [Release notes](https://github.com/ossf/scorecard-action/releases)
- [Changelog](https://github.com/ossf/scorecard-action/blob/main/RELEASE.md)
- [Commits](https://github.com/ossf/scorecard-action/compare/3e15ea8318eee9b333819ec77a36aca8d39df13e...ce330fde6b1a5c9c75b417e7efc510b822a35564

)

---
updated-dependencies:
- dependency-name: ossf/scorecard-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

* update version comment

Signed-off-by: cpanato <ctadeu@gmail.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: cpanato <ctadeu@gmail.com>

* Bump github/codeql-action from 2.1.13 to 2.1.14

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.13 to 2.1.14.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/d00e8c09a38ef8c1ca1091fc55ef490776d2de73...41a4ada31ba866a7f1196b9602703a89edd69e22

)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

* update version comment

Signed-off-by: cpanato <ctadeu@gmail.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: cpanato <ctadeu@gmail.com>

* WIP: Add COSE support to Rekor

This commit adds COSE Sign1 support to rekor via a new data type.
COSE is defined in RFC8152, and provides a signing message envelope.

This is supported in rekor using the veraison/go-cose library. The new
API type requires the signed content, the signature envelope, and the public key.

The public key is in the standard rekor PKI format, at the moment only ECDSA P256
with SHA256 is supported. The signed message only supports in-line bodies (no URL fetching),
and there is no support for pre-hashed entries.

Signed-off-by: Dan Lorenc <lorenc.d@gmail.com>

* Completed basic support for COSE records.

This adds some more functionality related to COSE enveleopes.
Features added are:

 - Support for specifying Additional Authentincated Data (AAD)

 - The entire CBOR envelope is stored as an attestation

 - If the payload type is an in-toto statement, subject is indexed

What's not optimal is that the COSE envelope is using the regular
`Attestion()` functionality, which means that rekor cli tries to
print it during `rekor-cli get` and the response record from Rekor
looks a bit awkward.

Signed-off-by: Fredrik Skogman <kommendorkapten@github.com>

* Updated the documentation for COSE envelopes.

Signed-off-by: Fredrik Skogman <kommendorkapten@github.com>

* Resolved merge conflicts with main.

The biggest change is adapting the new interface where attestation func
is split to two, one to get the key and a nother to get key/val.

Signed-off-by: Fredrik Skogman <kommendorkapten@github.com>

* Ran go mod tidy after resolving merge committs.

Signed-off-by: Fredrik Skogman <kommendorkapten@github.com>

* Added check to see that provided EC key uses the P256 curve.

Signed-off-by: Fredrik Skogman <kommendorkapten@github.com>

* Spelled out aad when printing the help message.

Signed-off-by: Fredrik Skogman <kommendorkapten@github.com>

* Updated copyright notice to have current (2022) year.

Signed-off-by: Fredrik Skogman <kommendorkapten@github.com>

* Removed direct dependency on github.com/pkg/errors and replaced with stdlib
errors package.

Signed-off-by: Fredrik Skogman <kommendorkapten@github.com>

* Fixed a bug where nil was wrongfully returned instead of err.
Also increas the general test coverage.

Signed-off-by: Fredrik Skogman <kommendorkapten@github.com>

* Changed aad in artifact properties struct to be []byte instead of string.
This gives the caller the possibility to decide how to decode the data.

Signed-off-by: Fredrik Skogman <kommendorkapten@github.com>

* Fixed a warning from the linter.

Signed-off-by: Fredrik Skogman <kommendorkapten@github.com>

* Added test case for malformed base64 aad parameter.

Signed-off-by: Fredrik Skogman <kommendorkapten@github.com>

* During signature validation, do not store any state until entire validation
is done.

Signed-off-by: Fredrik Skogman <kommendorkapten@github.com>

Co-authored-by: Dan Lorenc <lorenc.d@gmail.com>

Signed-off-by: cpanato <ctadeu@gmail.com>

* Bump github/codeql-action from 2.1.12 to 2.1.13

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.12 to 2.1.13.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/27ea8f8fe5977c00f5b37e076ab846c5bd783b96...d00e8c09a38ef8c1ca1091fc55ef490776d2de73

)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

* update version comments

Signed-off-by: cpanato <ctadeu@gmail.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: cpanato <ctadeu@gmail.com>

Bumps [github.com/spf13/cobra](https://github.com/spf13/cobra) from 1.4.0 to 1.5.0.
- [Release notes](https://github.com/spf13/cobra/releases)
- [Commits](https://github.com/spf13/cobra/compare/v1.4.0...v1.5.0

)

---
updated-dependencies:
- dependency-name: github.com/spf13/cobra
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ensure fallback logic executes if attestation key is empty

Signed-off-by: Bob Callaway <bcallaway@google.com>

* add gcloud auth to get containers

Signed-off-by: Bob Callaway <bcallaway@google.com>

* use correct ref, not a creds problem

Signed-off-by: Bob Callaway <bcallaway@google.com>

* use full path to rekor-cli, not safe to assume path is set

Signed-off-by: Bob Callaway <bcallaway@google.com>

* use external volume and set perms

Signed-off-by: Bob Callaway <bcallaway@google.com>

* collect docker-compose logs if sharding tests fail, also trim IDs

Signed-off-by: Bob Callaway <bcallaway@google.com>

* s/TRAP/trap, test failure case

Signed-off-by: Bob Callaway <bcallaway@google.com>

* fix left padding, rename log uploads, remove failure test

Co-authored-by: Bob Callaway <bcallaway@google.com>
Co-authored-by: Fredrik Skogman <kommendorkapten@github.com>

* add missing negation

Signed-off-by: Bob Callaway <bcallaway@google.com>

* fix return code logic

Signed-off-by: Bob Callaway <bcallaway@google.com>

Co-authored-by: Fredrik Skogman <kommendorkapten@github.com>

Signed-off-by: cpanato <ctadeu@gmail.com>

This causes issues when trying to look up an entry where the chain was
valid/unexpired when uploaded, but has since expired when it's
retreived.

Signed-off-by: Hayden Blauzvern <hblauzvern@google.com>

Signed-off-by: Hayden Blauzvern <hblauzvern@google.com>

* Bump actions/dependency-review-action from 2.0.0 to 2.0.2

Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 2.0.0 to 2.0.2.
- [Release notes](https://github.com/actions/dependency-review-action/releases)
- [Commits](https://github.com/actions/dependency-review-action/compare/97790d29c7fb370b5e1edbec513501e78789337d...1c59cdf2a9c7f29c90e8da32237eb04b81bad9f0

)

---
updated-dependencies:
- dependency-name: actions/dependency-review-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

* update version comment

Signed-off-by: cpanato <ctadeu@gmail.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: cpanato <ctadeu@gmail.com>

Signed-off-by: Priya Wadhwa <priya@chainguard.dev>

Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 1.0.2 to 2.
- [Release notes](https://github.com/actions/dependency-review-action/releases)
- [Commits](https://github.com/actions/dependency-review-action/compare/a9c83d3af6b9031e20feba03b904645bb23d1dab...97790d29c7fb370b5e1edbec513501e78789337d

)

---
updated-dependencies:
- dependency-name: actions/dependency-review-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Bump sigstore/cosign-installer from 2.3.0 to 2.4.0

Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 2.3.0 to 2.4.0.
- [Release notes](https://github.com/sigstore/cosign-installer/releases)
- [Commits](https://github.com/sigstore/cosign-installer/compare/536b37ec5d5b543420bdfd9b744c5965bd4d8730...7e0881f8fe90b25e305bbf0309761e9314607e25

)

---
updated-dependencies:
- dependency-name: sigstore/cosign-installer
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* updatge version comment

Signed-off-by: cpanato <ctadeu@gmail.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: cpanato <ctadeu@gmail.com>

Signed-off-by: cpanato <ctadeu@gmail.com>

* Print total tree size, including inactive shards

Signed-off-by: Priya Wadhwa <priya@chainguard.dev>

* Rename TreeSize to ActiveTreeSize

Signed-off-by: Priya Wadhwa <priya@chainguard.dev>

* Allow retrieving entryIDs or UUIDs

Fixes a bug where only 64 char UUIDs were allowed. Also adds in an integration test.

Signed-off-by: Priya Wadhwa <priya@chainguard.dev>

* Confirm there are two entries returned in sharding e2e test

Signed-off-by: Priya Wadhwa <priya@chainguard.dev>

* Fix regex

Signed-off-by: Priya Wadhwa <priya@chainguard.dev>

* Code review comments

Signed-off-by: Priya Wadhwa <priya@chainguard.dev>

* Bump github.com/spf13/viper from 1.11.0 to 1.12.0

Bumps [github.com/spf13/viper](https://github.com/spf13/viper) from 1.11.0 to 1.12.0.
- [Release notes](https://github.com/spf13/viper/releases)
- [Commits](https://github.com/spf13/viper/compare/v1.11.0...v1.12.0

)

---
updated-dependencies:
- dependency-name: github.com/spf13/viper
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* update cloud.google.com/go/storage / cloud.google.com/go/iam

Signed-off-by: cpanato <ctadeu@gmail.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: cpanato <ctadeu@gmail.com>

Bumps [github.com/go-openapi/validate](https://github.com/go-openapi/validate) from 0.21.0 to 0.22.0.
- [Release notes](https://github.com/go-openapi/validate/releases)
- [Commits](https://github.com/go-openapi/validate/compare/v0.21.0...v0.22.0

)

---
updated-dependencies:
- dependency-name: github.com/go-openapi/validate
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

ED25519 signatures are not supported with the hashedrekord type, though they are
supported with rekord. The reason is that ED25519 computes the digest as part of
its algorithm, so the original artifact is needed to verify a signature.

The previous error message was very unclear, complaining about a nil
message.

Signed-off-by: Hayden Blauzvern <hblauzvern@google.com>

Signed-off-by: cpanato <ctadeu@gmail.com>

Signed-off-by: cpanato <ctadeu@gmail.com>

* Bump github/codeql-action from 2.1.11 to 2.1.12

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.11 to 2.1.12.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/a3a6c128d771b6b9bdebb1c9d0583ebd2728a108...27ea8f8fe5977c00f5b37e076ab846c5bd783b96

)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

* update version comment

Signed-off-by: cpanato <ctadeu@gmail.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: cpanato <ctadeu@gmail.com>

* Bump ossf/scorecard-action from 1.1.0 to 1.1.1

Bumps [ossf/scorecard-action](https://github.com/ossf/scorecard-action) from 1.1.0 to 1.1.1.
- [Release notes](https://github.com/ossf/scorecard-action/releases)
- [Changelog](https://github.com/ossf/scorecard-action/blob/main/RELEASE.md)
- [Commits](https://github.com/ossf/scorecard-action/compare/5c8bc69dc88b65c66584e07611df79d3579b0377...3e15ea8318eee9b333819ec77a36aca8d39df13e

)

---
updated-dependencies:
- dependency-name: ossf/scorecard-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

* update version comment

Signed-off-by: cpanato <ctadeu@gmail.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: cpanato <ctadeu@gmail.com>

Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.46.2 to 1.47.0.
- [Release notes](https://github.com/grpc/grpc-go/releases)
- [Commits](https://github.com/grpc/grpc-go/compare/v1.46.2...v1.47.0

)

---
updated-dependencies:
- dependency-name: google.golang.org/grpc
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [github.com/secure-systems-lab/go-securesystemslib](https://github.com/secure-systems-lab/go-securesystemslib) from 0.3.1 to 0.4.0.
- [Release notes](https://github.com/secure-systems-lab/go-securesystemslib/releases)
- [Commits](https://github.com/secure-systems-lab/go-securesystemslib/compare/v0.3.1...v0.4.0

)

---
updated-dependencies:
- dependency-name: github.com/secure-systems-lab/go-securesystemslib
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>