This is required when uploading jars by URL.

Signed-off-by: Dan Lorenc <dlorenc@google.com>

Signed-off-by: Asra Ali <asraa@google.com>

* Add new type for JAR archives

This adds support for a new pluggable type that can extract signatures
from signed JAR files. Per the JAR spec, a special manifest file is
created with the digest hashes of all included content in the JAR file.
It is this special manifest file that is then signed, and included in a
file within the archive in PKCS7 format. The PKCS7 file also includes
the X509 certificate that can be used to verify the signed manifest file
inside of the JAR.

Signed-off-by: Bob Callaway <bob.callaway@gmail.com>

* update boilerplate header and apply go fmt

Signed-off-by: Carlos Panato <ctadeu@gmail.com>

* lints: fix golangci-lint issues

Signed-off-by: Carlos Panato <ctadeu@gmail.com>

* updated based on feedback

Signed-off-by: Carlos Panato <ctadeu@gmail.com>

This makes the binaries "go installable" by their canonical names.

Signed-off-by: Dan Lorenc <dlorenc@google.com>

Since the verification of a signature will, by definition, include
verifying the content has not been altered, it is unnecessary to require
users of the CLI or REST API to specify the SHA256 hash of the content
when creating a new entry into the log.

Note that the server will still compute the hash and store it in the log
for ease of comparison.

Fixes #180

Signed-off-by: Bob Callaway <bcallawa@redhat.com>

All instances of projectrekor are now renamed to SigStore

This includes:

* Import paths
* Tests
* Readme's

Signed-off-by: Luke Hinds <lhinds@redhat.com>

Signed-off-by: Bob Callaway <bcallawa@redhat.com>

Co-authored-by: Dan Lorenc <dlorenc@google.com>

Still need to add some more e2e-style tests that go through the ArtifactFactory flow.

This supports pgp and minisign right now. We can add logic to try to detect these later.

Signed-off-by: Bob Callaway <bcallawa@redhat.com>

also adds --log-index parameter to CLI verify command

Signed-off-by: Bob Callaway <bcallawa@redhat.com>