* helpful error message for hashedrekord types

Signed-off-by: Bob Callaway <bob.callaway@gmail.com>

Signed-off-by: Bob Callaway <bob.callaway@gmail.com>

Signed-off-by: Bob Callaway <bob.callaway@gmail.com>

* Refactor PKI factory and add type checking

This allows for more DRY addition of new PKI types, and stricter
type checking. This also allows for simpler enumeration of
supported PKI formats which will be used in further updates to
simplify the CLI codebase.

Signed-off-by: Bob Callaway <bob.callaway@gmail.com>

* revamp CLI flags; support different versions for upload

Signed-off-by: Bob Callaway <bob.callaway@gmail.com>

* Add Alpine Package type

This adds support for the alpine package format used by Alpine Linux,
which is the concatenation of three tgz files (signature, control data,
and then the actual package files).

Signed-off-by: Bob Callaway <bob.callaway@gmail.com>

* use shaFlag for --artifact-hash

Signed-off-by: Bob Callaway <bob.callaway@gmail.com>

* change arg type to PKIFormat

Signed-off-by: Bob Callaway <bob.callaway@gmail.com>

* defer type-specific validation logic to type code (instead of in CLI); also use CliLogger throughout CLI

Signed-off-by: Bob Callaway <bob.callaway@gmail.com>

* refactor factory code

Signed-off-by: Bob Callaway <bob.callaway@gmail.com>

* review comments

Signed-off-by: Bob Callaway <bob.callaway@gmail.com>

Signed-off-by: Dan Lorenc <dlorenc@google.com>

* Added Helm type

Signed-off-by: Andrew Block <andy.block@gmail.com>

* Cleaned up helm type

Signed-off-by: Andrew Block <andy.block@gmail.com>

* Correct Helm schema required fields

Signed-off-by: Andrew Block <andy.block@gmail.com>

* Regenerated Helm schema

Signed-off-by: Andrew Block <andy.block@gmail.com>

* Move GetRekorClient into util directory

Since other sigstore projects are using GetRekorClient, this moves it
into the pkg/util directory so that the number of dependencies this
brings with it can be minimized.

Signed-off-by: Bob Callaway <bob.callaway@gmail.com>

* move to pkg/client

Signed-off-by: Bob Callaway <bob.callaway@gmail.com>

This adds support for the alpine package format used by Alpine Linux,
which is the concatenation of three tgz files (signature, control data,
and then the actual package files).

Signed-off-by: Bob Callaway <bob.callaway@gmail.com>

Signed-off-by: Asra Ali <asraa@google.com>

Signed-off-by: Appu Goundan <appu@google.com>

This uses a custom fork of in-toto-golang because not all the changes are merged
in one place.

Signed-off-by: Dan Lorenc <dlorenc@google.com>

* Add Log ID into SET verification step

This also causes the upload command to return a non-zero error code
because of a verification failure.

Fixes #308

Signed-off-by: Bob Callaway <bob.callaway@gmail.com>

* since this is only done on upload, we can assume it is set

Signed-off-by: Bob Callaway <bob.callaway@gmail.com>

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

* Add new type for JAR archives

This adds support for a new pluggable type that can extract signatures
from signed JAR files. Per the JAR spec, a special manifest file is
created with the digest hashes of all included content in the JAR file.
It is this special manifest file that is then signed, and included in a
file within the archive in PKCS7 format. The PKCS7 file also includes
the X509 certificate that can be used to verify the signed manifest file
inside of the JAR.

Signed-off-by: Bob Callaway <bob.callaway@gmail.com>

* update boilerplate header and apply go fmt

Signed-off-by: Carlos Panato <ctadeu@gmail.com>

* lints: fix golangci-lint issues

Signed-off-by: Carlos Panato <ctadeu@gmail.com>

* updated based on feedback

Signed-off-by: Carlos Panato <ctadeu@gmail.com>

This makes the binaries "go installable" by their canonical names.

Signed-off-by: Dan Lorenc <dlorenc@google.com>

Adds a Location response header when a 409 Conflict error is returned
from the server when a duplicate entry is sent for insertion into the
log. Also changes message printed by CLI to improve usability.

Fixes #222

Signed-off-by: Bob Callaway <bcallawa@redhat.com>

All instances of projectrekor are now renamed to SigStore

This includes:

* Import paths
* Tests
* Readme's

Signed-off-by: Luke Hinds <lhinds@redhat.com>

Next up is a JSON output mode to make testing/scripting easier.

also adds --log-index parameter to CLI verify command

Signed-off-by: Bob Callaway <bcallawa@redhat.com>

This retargets #67 at main instead of openapi branch

simplify upload command to reuse common PKI package across client & server

This also breaks the go module dependency on rekor-server.

This is the first step in code reorganization. This follows the patterns
from kubernetes/kubernetes - each binary gets a directory under cmd/.
The main.go file for each binary lives there.
The commands live under cmd//app.

Implement upload command

Accept flags artifact-url,public-key, signature and validate GPG formatting and verify file signature

This change refactors client.go and file.go into an `app` package.

This will make it more easily consumed by rekor-ctl

Once this change is in, I will push rekor-ctl up and then look to
further refactor use of code already duped in rekor-server