Bumps [github.com/go-openapi/runtime](https://github.com/go-openapi/runtime) from 0.19.26 to 0.19.27.
- [Release notes](https://github.com/go-openapi/runtime/releases)
- [Commits](https://github.com/go-openapi/runtime/compare/v0.19.26...v0.19.27

)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Pin the trillian deps in docker-compose.

Signed-off-by: Dan Lorenc <dlorenc@google.com>

* Remove gzip processing flow completely from rekor

Issue #208 reported different handling of gzipped content via fetch vs
direct upload to rekor server. The code should be consistent, regardless
of whether content was compressed or not - by always attempting to
verify the signature against the (unmodified) byte stream.

This patch removes the gzip decoding completely from rekor and verifies
the bytes supplied or referenced.

Also fixes issue in E2E tests where sending SIGKILL to watch process
caused message to be printed to stderr, which fails the test when
running on MacOS.

Fixes #208

Signed-off-by: Bob Callaway <bcallawa@redhat.com>

Bumps [github.com/prometheus/client_golang](https://github.com/prometheus/client_golang) from 1.9.0 to 1.10.0.
- [Release notes](https://github.com/prometheus/client_golang/releases)
- [Changelog](https://github.com/prometheus/client_golang/blob/master/CHANGELOG.md)
- [Commits](https://github.com/prometheus/client_golang/compare/v1.9.0...v1.10.0

)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Signed-off-by: axelsimon <github@axelsimon.net>

Store the whole cert.

Add a second job that watches rekor for new STH entries and publishes

them to GCS.

We don't always have a new one, and under load there might be "batches" of entries
all integrated into the same STH. This means there is no guaranteed frequency of updates
or even a guarantee that every index will exist.

The values (and timestamps) should be monotonically increasing though.

Signed-off-by: Dan Lorenc <dlorenc@google.com>

Signed-off-by: Dan Lorenc <dlorenc@google.com>

Add the index back. This was failing tests for me.

Signed-off-by: Dan Lorenc <dlorenc@google.com>

Add the logid as a fixed parameter for the "prod" deploy.

Signed-off-by: Dan Lorenc <dlorenc@google.com>

This will allow us to use types.NewEntry() to unmarshal returned
values in clients.

Signed-off-by: Dan Lorenc <dlorenc@google.com>

No gzip check on fetching signed payload

Signed-off-by: Shiwei Zhang <shizh@microsoft.com>

Bumps golang from 1.16.0 to 1.16.2.

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Add timestamps to the log_info output.

Also clean up a few small panics along the way.

Signed-off-by: Dan Lorenc <dlorenc@google.com>

Update version of docker-compose.yml

start_period in healthcheck and target in build are properties that are not supported for docker-compose versions <3.4. This change fixes this issue.

Signed-off-by: Efe Barlas <ebarlas@purdue.edu>

Return 400 error if requested tree size > reality

Validate and return hash and size from signed root

Currently we return a 500 error if a consistency proof is requested for
a size that exceeds the current state of the log. This change causes a
400 "Bad Request" error with a more descriptive error message to be
returned.

Fixes #199

Signed-off-by: Bob Callaway <bcallawa@redhat.com>

Signed-off-by: Bob Callaway <bcallawa@redhat.com>

The loginfo API returns both the current size, root hash, as well as the
signed tree head that callers can verify if they wish. The CLI does a
check to verify the signature on the tree head returned, but was
reporting the unsigned size and hash. This change ensures that the
values match and prints the values from the signed tree head.

Fixes #200

Signed-off-by: Bob Callaway <bcallawa@redhat.com>

Add some text explaining the lack of SLOs on our production instance.

Signed-off-by: Dan Lorenc <dlorenc@google.com>

Provide context on how Rekor is part of sigstores infra

Signed-off-by: Luke Hinds <lhinds@redhat.com>

Move the configs over to another repo.

Signed-off-by: Dan Lorenc <dlorenc@google.com>

This lets you retrieve entries by UUID or index, and see the other
value.

Signed-off-by: Dan Lorenc <dlorenc@google.com>

Bumps [securego/gosec](https://github.com/securego/gosec) from v2.6.1 to v2.7.0.
- [Release notes](https://github.com/securego/gosec/releases)
- [Changelog](https://github.com/securego/gosec/blob/master/.goreleaser.yml)
- [Commits](https://github.com/securego/gosec/compare/v2.6.1...27a5ffb5c8f6dd3b6dea3b8e6019a2b3d43bf0f9

)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Domain name update

Signed-off-by: Luke Hinds <lhinds@redhat.com>
Co-authored-by: Stephen Augustus <justaugustus@users.noreply.github.com>

Add both ingress paths to the cert-manager for now.

Signed-off-by: Dan Lorenc <dlorenc@google.com>

Since the API key can be specified as an environment variable and could
be thought of as an authentication credential, it should not be included
in the path to the created entry in the log.

Previously we simply appended the new entry's UUID to the full URL,
which was incorrect if an API key was specified as a query parameter.

Fixes #182

Signed-off-by: Bob Callaway <bcallawa@redhat.com>

In our CI environment there is an artifical delay in between starting
the Rekor services via docker-compose and when the E2E tests are
actually executed due to Go modules being downloaded. In a local
development environment, the download may not be required so the tests
can start before the docker-compose services are actually running.

This introduces a healthcheck for services (where possible), and blocks
the start of the e2e tests until the services are reporting as healthy.
It also forces the use of an empty homedir and rekor config file to
ensure no collision between the tests and the developer's environment.

Fixes #183

Signed-off-by: Bob Callaway <bcallawa@redhat.com>

no longer require SHA to upload artifacts to log