From d6e9e0259d35b0409f6e188567c203c40a4aebfe Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Thu, 16 Jun 2022 13:41:03 +0200
Subject: [PATCH 1/4] Bump actions/dependency-review-action from 2.0.0 to 2.0.2
 (#875)

* Bump actions/dependency-review-action from 2.0.0 to 2.0.2

Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 2.0.0 to 2.0.2.
- [Release notes](https://github.com/actions/dependency-review-action/releases)
- [Commits](https://github.com/actions/dependency-review-action/compare/97790d29c7fb370b5e1edbec513501e78789337d...1c59cdf2a9c7f29c90e8da32237eb04b81bad9f0)

---
updated-dependencies:
- dependency-name: actions/dependency-review-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

* update version comment

Signed-off-by: cpanato <ctadeu@gmail.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: cpanato <ctadeu@gmail.com>
---
 .github/workflows/depsreview.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/depsreview.yml b/.github/workflows/depsreview.yml
index 2717df5e0..e0b7c971e 100644
--- a/.github/workflows/depsreview.yml
+++ b/.github/workflows/depsreview.yml
@@ -25,4 +25,4 @@ jobs:
       - name: 'Checkout Repository'
         uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v3
       - name: 'Dependency Review'
-        uses: actions/dependency-review-action@97790d29c7fb370b5e1edbec513501e78789337d # v1
+        uses: actions/dependency-review-action@1c59cdf2a9c7f29c90e8da32237eb04b81bad9f0 # v2

From 4f0b750ea3cee548684227570190250fcd136f02 Mon Sep 17 00:00:00 2001
From: Hayden B <hblauzvern@google.com>
Date: Thu, 16 Jun 2022 04:48:00 -0700
Subject: [PATCH 2/4] Allow an expired certificate chain to be uploaded and
 verified (#873)

This causes issues when trying to look up an entry where the chain was
valid/unexpired when uploaded, but has since expired when it's
retreived.

Signed-off-by: Hayden Blauzvern <hblauzvern@google.com>

Signed-off-by: Hayden Blauzvern <hblauzvern@google.com>
---
 pkg/pki/x509/testutils/cert_test_utils.go | 34 +++++++++++++++++++++--
 pkg/pki/x509/x509.go                      |  2 ++
 pkg/pki/x509/x509_test.go                 | 12 ++++++++
 3 files changed, 46 insertions(+), 2 deletions(-)

diff --git a/pkg/pki/x509/testutils/cert_test_utils.go b/pkg/pki/x509/testutils/cert_test_utils.go
index 827505c21..ec0167eaf 100644
--- a/pkg/pki/x509/testutils/cert_test_utils.go
+++ b/pkg/pki/x509/testutils/cert_test_utils.go
@@ -67,7 +67,7 @@ func GenerateRootCa() (*x509.Certificate, *ecdsa.PrivateKey, error) {
 			CommonName:   "sigstore",
 			Organization: []string{"sigstore.dev"},
 		},
-		NotBefore:             time.Now().Add(-5 * time.Minute),
+		NotBefore:             time.Now().Add(-10 * time.Minute),
 		NotAfter:              time.Now().Add(5 * time.Hour),
 		KeyUsage:              x509.KeyUsageCertSign | x509.KeyUsageCRLSign,
 		BasicConstraintsValid: true,
@@ -94,7 +94,7 @@ func GenerateSubordinateCa(rootTemplate *x509.Certificate, rootPriv crypto.Signe
 			CommonName:   "sigstore-sub",
 			Organization: []string{"sigstore.dev"},
 		},
-		NotBefore:             time.Now().Add(-2 * time.Minute),
+		NotBefore:             time.Now().Add(-9 * time.Minute),
 		NotAfter:              time.Now().Add(2 * time.Hour),
 		KeyUsage:              x509.KeyUsageCertSign | x509.KeyUsageCRLSign,
 		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageCodeSigning},
@@ -144,3 +144,33 @@ func GenerateLeafCert(subject string, oidcIssuer string, parentTemplate *x509.Ce
 
 	return cert, priv, nil
 }
+
+func GenerateExpiredLeafCert(subject string, oidcIssuer string, parentTemplate *x509.Certificate, parentPriv crypto.Signer) (*x509.Certificate, *ecdsa.PrivateKey, error) {
+	certTemplate := &x509.Certificate{
+		SerialNumber:   big.NewInt(1),
+		EmailAddresses: []string{subject},
+		NotBefore:      time.Now().Add(-5 * time.Minute),
+		NotAfter:       time.Now().Add(-2 * time.Minute),
+		KeyUsage:       x509.KeyUsageDigitalSignature,
+		ExtKeyUsage:    []x509.ExtKeyUsage{x509.ExtKeyUsageCodeSigning},
+		IsCA:           false,
+		ExtraExtensions: []pkix.Extension{{
+			// OID for OIDC Issuer extension
+			Id:       asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 1},
+			Critical: false,
+			Value:    []byte(oidcIssuer),
+		}},
+	}
+
+	priv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	cert, err := createCertificate(certTemplate, parentTemplate, &priv.PublicKey, parentPriv)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	return cert, priv, nil
+}
diff --git a/pkg/pki/x509/x509.go b/pkg/pki/x509/x509.go
index 0cc3ab665..49fa1c544 100644
--- a/pkg/pki/x509/x509.go
+++ b/pkg/pki/x509/x509.go
@@ -211,6 +211,8 @@ func verifyCertChain(certChain []*x509.Certificate) error {
 		Intermediates: subPool,
 		// Allow any key usage
 		KeyUsages: []x509.ExtKeyUsage{x509.ExtKeyUsageAny},
+		// Expired certificates can be uploaded and should be verifiable
+		CurrentTime: certChain[0].NotBefore,
 	}); err != nil {
 		return err
 	}
diff --git a/pkg/pki/x509/x509_test.go b/pkg/pki/x509/x509_test.go
index ceeb68000..aa0805477 100644
--- a/pkg/pki/x509/x509_test.go
+++ b/pkg/pki/x509/x509_test.go
@@ -250,6 +250,18 @@ func TestPublicKeyWithCertChain(t *testing.T) {
 		t.Fatalf("unexpected error verifying signature, %v", err)
 	}
 
+	// Verify works with expired certificate
+	leafCert, leafKey, _ = testutils.GenerateExpiredLeafCert("subject@example.com", "oidc-issuer", subCert, subKey)
+	pemCertChain, _ = cryptoutils.MarshalCertificatesToPEM([]*x509.Certificate{leafCert, subCert, rootCert})
+	pub, _ = NewPublicKey(bytes.NewReader(pemCertChain))
+	signer, _ = signature.LoadSigner(leafKey, crypto.SHA256)
+	sigBytes, _ = signer.SignMessage(bytes.NewReader(data))
+	s, _ = NewSignature(bytes.NewReader(sigBytes))
+	err = s.Verify(bytes.NewReader(data), pub)
+	if err != nil {
+		t.Fatalf("unexpected error verifying signature with expired cert: %v", err)
+	}
+
 	// Verify error with invalid chain
 	pemCertChain, _ = cryptoutils.MarshalCertificatesToPEM([]*x509.Certificate{leafCert, rootCert})
 	pub, _ = NewPublicKey(bytes.NewReader(pemCertChain))

From e981811726530c70ec707902022c336d1f1c37b4 Mon Sep 17 00:00:00 2001
From: Carlos Tadeu Panato Junior <ctadeu@gmail.com>
Date: Thu, 16 Jun 2022 22:10:13 +0200
Subject: [PATCH 3/4] add changelog for v0.8.1 (#874)

Signed-off-by: cpanato <ctadeu@gmail.com>
---
 CHANGELOG.md | 321 +++++++++++++++++++++++++++------------------------
 1 file changed, 170 insertions(+), 151 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index ce1e6e16e..9037f7e77 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,25 +1,44 @@
+# v0.8.1
+
+## Bug Fixes
+
+* Allow an expired certificate chain to be uploaded and verified (https://github.com/sigstore/rekor/pull/873)
+* Fix indexing bug for intoto attestations (https://github.com/sigstore/rekor/pull/870)
+
+## Others
+
+* Bump actions/dependency-review-action from 1.0.2 to 2 (https://github.com/sigstore/rekor/pull/871)
+* Bump sigstore/cosign-installer from 2.3.0 to 2.4.0 (https://github.com/sigstore/rekor/pull/868)
+* add changelog for v0.8.0 (https://github.com/sigstore/rekor/pull/866)
+
+## Contributors
+
+* Carlos Tadeu Panato Junior (@cpanato)
+* Hayden Blauzvern (@haydentherapper)
+* Priya Wadhwa (@priyawadhwa)
+
 # v0.8.0
 
 ## Enhancements
 
-* Print total tree size, including inactive shards in `rekor-cli loginfo` (#864)
-* Allow retrieving entryIDs or UUIDs via `/api/v1/log/entries/retrieve` endpoint (#859)
-* Improve error message when using ED25519 with HashedRekord type (#862)
+* Print total tree size, including inactive shards in `rekor-cli loginfo` (https://github.com/sigstore/rekor/pull/864)
+* Allow retrieving entryIDs or UUIDs via `/api/v1/log/entries/retrieve` endpoint (https://github.com/sigstore/rekor/pull/859)
+* Improve error message when using ED25519 with HashedRekord type (https://github.com/sigstore/rekor/pull/862)
 
 ## Others
 
-* Bump github.com/spf13/viper from 1.11.0 to 1.12.0 (#844)
-* Bump github.com/go-openapi/validate from 0.21.0 to 0.22.0 (#863)
-* update go.mod to go1.17 (#861)
-* update cross-builder image to use go1.17.11 and dockerfile base image (#860)
-* Bump github/codeql-action from 2.1.11 to 2.1.12 (#858)
-* Bump ossf/scorecard-action from 1.1.0 to 1.1.1 (#857)
-* Bump google.golang.org/grpc from 1.46.2 to 1.47.0 (#852)
-* Bump github.com/secure-systems-lab/go-securesystemslib (#853)
-* Configure rekor server in e2e tests via env variable (#850)
-* Bump gopkg.in/ini.v1 from 1.66.5 to 1.66.6 (#848)
-* Update go-tuf and sigstore/sigstore to non-vulnerable go-tuf version. (#847)
-* Bump gopkg.in/ini.v1 from 1.66.4 to 1.66.5 (#846)
+* Bump github.com/spf13/viper from 1.11.0 to 1.12.0 (https://github.com/sigstore/rekor/pull/844)
+* Bump github.com/go-openapi/validate from 0.21.0 to 0.22.0 (https://github.com/sigstore/rekor/pull/863)
+* update go.mod to go1.17 (https://github.com/sigstore/rekor/pull/861)
+* update cross-builder image to use go1.17.11 and dockerfile base image (https://github.com/sigstore/rekor/pull/860)
+* Bump github/codeql-action from 2.1.11 to 2.1.12 (https://github.com/sigstore/rekor/pull/858)
+* Bump ossf/scorecard-action from 1.1.0 to 1.1.1 (https://github.com/sigstore/rekor/pull/857)
+* Bump google.golang.org/grpc from 1.46.2 to 1.47.0 (https://github.com/sigstore/rekor/pull/852)
+* Bump github.com/secure-systems-lab/go-securesystemslib (https://github.com/sigstore/rekor/pull/853)
+* Configure rekor server in e2e tests via env variable (https://github.com/sigstore/rekor/pull/850)
+* Bump gopkg.in/ini.v1 from 1.66.5 to 1.66.6 (https://github.com/sigstore/rekor/pull/848)
+* Update go-tuf and sigstore/sigstore to non-vulnerable go-tuf version. (https://github.com/sigstore/rekor/pull/847)
+* Bump gopkg.in/ini.v1 from 1.66.4 to 1.66.5 (https://github.com/sigstore/rekor/pull/846)
 
 ## Contributors
 
@@ -35,51 +54,51 @@ If you are relying on the timestamping authority to issue signed timestamps, cre
 
 ## Enhancements
 
-* Remove timestamping authority (#813)
-* Limit the number of certificates parsed in a chain (#823)
-* Retrieve shard tree length if it isn't provided in the config (#810)
-* Don't try to index on hash for intoto obj if one isn't available (#800)
-* intoto: add index on materials digest of slsa provenance (#793)
-* remove URL fetch of keys/artifacts server-side (#735)
+* Remove timestamping authority (https://github.com/sigstore/rekor/pull/813)
+* Limit the number of certificates parsed in a chain (https://github.com/sigstore/rekor/pull/823)
+* Retrieve shard tree length if it isn't provided in the config (https://github.com/sigstore/rekor/pull/810)
+* Don't try to index on hash for intoto obj if one isn't available (https://github.com/sigstore/rekor/pull/800)
+* intoto: add index on materials digest of slsa provenance (https://github.com/sigstore/rekor/pull/793)
+* remove URL fetch of keys/artifacts server-side (https://github.com/sigstore/rekor/pull/735)
 
 ## Others
 
-* all: remove dependency on deprecated github.com/pkg/errors (#834)
-* Add back owners for rfc3161 package type (#833)
-* Bump google-github-actions/auth from 0.7.2 to 0.7.3 (#832)
-* Bump github/codeql-action from 2.1.10 to 2.1.11 (#829)
-* Bump google-github-actions/auth from 0.7.1 to 0.7.2 (#830)
-* Bump google.golang.org/grpc from 1.46.0 to 1.46.2 (#828)
-* Bump actions/dependency-review-action (#825)
-* Bump actions/github-script from 6.0.0 to 6.1.0 (#826)
-* Bump github.com/prometheus/client_golang from 1.12.1 to 1.12.2 (#827)
-* update go to 1.17.10 in the dockerfile (#819)
-* Bump github.com/google/trillian from 1.4.0 to 1.4.1 in /hack/tools (#818)
-* Bump github.com/google/trillian from 1.4.0 to 1.4.1 (#817)
-* Bump actions/setup-go from 3.0.0 to 3.1.0 (#822)
-* Bump github/codeql-action (#821)
-* update release builder images to use go 1.17.10 and cosign image to 1.18.0 (#820)
-* Bump golangci/golangci-lint-action from 3.1.0 to 3.2.0 (#815)
-* Bump github/codeql-action from 2.1.9 to 2.1.10 (#816)
-* Bump github.com/go-openapi/runtime from 0.24.0 to 0.24.1 (#811)
-* Bump github.com/go-openapi/spec from 0.20.5 to 0.20.6 (#802)
-* Move trillian/merkly to transparency-dev (#807)
-* Bump github.com/go-playground/validator/v10 from 10.10.1 to 10.11.0 (#803)
-* chore(deps): Included dependency review (#788)
-* Bump github.com/go-openapi/runtime from 0.23.3 to 0.24.0 (#799)
-* Bump github.com/google/go-cmp from 0.5.7 to 0.5.8 (#794)
-* Bump sigstore/cosign-installer from 2.2.1 to 2.3.0 (#795)
-* Bump github/codeql-action from 2.1.8 to 2.1.9 (#796)
-* Bump google.golang.org/grpc from 1.45.0 to 1.46.0 (#791)
-* Bump google-github-actions/auth from 0.7.0 to 0.7.1 (#790)
-* Bump actions/checkout from 3.0.1 to 3.0.2 (#786)
-* Bump codecov/codecov-action from 3.0.0 to 3.1.0 (#785)
-* Bump github.com/mitchellh/mapstructure from 1.4.3 to 1.5.0 (#782)
-* Bump github.com/mediocregopher/radix/v4 from 4.0.0 to 4.1.0 (#781)
-* Bump anchore/sbom-action from 0.10.0 to 0.11.0 (#779)
-* Bump actions/checkout from 3.0.0 to 3.0.1 (#778)
-* Bump github.com/spf13/viper from 1.10.1 to 1.11.0 (#777)
-* Bump sigstore/cosign-installer from 2.2.0 to 2.2.1 (#776)
+* all: remove dependency on deprecated github.com/pkg/errors (https://github.com/sigstore/rekor/pull/834)
+* Add back owners for rfc3161 package type (https://github.com/sigstore/rekor/pull/833)
+* Bump google-github-actions/auth from 0.7.2 to 0.7.3 (https://github.com/sigstore/rekor/pull/832)
+* Bump github/codeql-action from 2.1.10 to 2.1.11 (https://github.com/sigstore/rekor/pull/829)
+* Bump google-github-actions/auth from 0.7.1 to 0.7.2 (https://github.com/sigstore/rekor/pull/830)
+* Bump google.golang.org/grpc from 1.46.0 to 1.46.2 (https://github.com/sigstore/rekor/pull/828)
+* Bump actions/dependency-review-action (https://github.com/sigstore/rekor/pull/825)
+* Bump actions/github-script from 6.0.0 to 6.1.0 (https://github.com/sigstore/rekor/pull/826)
+* Bump github.com/prometheus/client_golang from 1.12.1 to 1.12.2 (https://github.com/sigstore/rekor/pull/827)
+* update go to 1.17.10 in the dockerfile (https://github.com/sigstore/rekor/pull/819)
+* Bump github.com/google/trillian from 1.4.0 to 1.4.1 in /hack/tools (https://github.com/sigstore/rekor/pull/818)
+* Bump github.com/google/trillian from 1.4.0 to 1.4.1 (https://github.com/sigstore/rekor/pull/817)
+* Bump actions/setup-go from 3.0.0 to 3.1.0 (https://github.com/sigstore/rekor/pull/822)
+* Bump github/codeql-action (https://github.com/sigstore/rekor/pull/821)
+* update release builder images to use go 1.17.10 and cosign image to 1.18.0 (https://github.com/sigstore/rekor/pull/820)
+* Bump golangci/golangci-lint-action from 3.1.0 to 3.2.0 (https://github.com/sigstore/rekor/pull/815)
+* Bump github/codeql-action from 2.1.9 to 2.1.10 (https://github.com/sigstore/rekor/pull/816)
+* Bump github.com/go-openapi/runtime from 0.24.0 to 0.24.1 (https://github.com/sigstore/rekor/pull/811)
+* Bump github.com/go-openapi/spec from 0.20.5 to 0.20.6 (https://github.com/sigstore/rekor/pull/802)
+* Move trillian/merkly to transparency-dev (https://github.com/sigstore/rekor/pull/807)
+* Bump github.com/go-playground/validator/v10 from 10.10.1 to 10.11.0 (https://github.com/sigstore/rekor/pull/803)
+* chore(deps): Included dependency review (https://github.com/sigstore/rekor/pull/788)
+* Bump github.com/go-openapi/runtime from 0.23.3 to 0.24.0 (https://github.com/sigstore/rekor/pull/799)
+* Bump github.com/google/go-cmp from 0.5.7 to 0.5.8 (https://github.com/sigstore/rekor/pull/794)
+* Bump sigstore/cosign-installer from 2.2.1 to 2.3.0 (https://github.com/sigstore/rekor/pull/795)
+* Bump github/codeql-action from 2.1.8 to 2.1.9 (https://github.com/sigstore/rekor/pull/796)
+* Bump google.golang.org/grpc from 1.45.0 to 1.46.0 (https://github.com/sigstore/rekor/pull/791)
+* Bump google-github-actions/auth from 0.7.0 to 0.7.1 (https://github.com/sigstore/rekor/pull/790)
+* Bump actions/checkout from 3.0.1 to 3.0.2 (https://github.com/sigstore/rekor/pull/786)
+* Bump codecov/codecov-action from 3.0.0 to 3.1.0 (https://github.com/sigstore/rekor/pull/785)
+* Bump github.com/mitchellh/mapstructure from 1.4.3 to 1.5.0 (https://github.com/sigstore/rekor/pull/782)
+* Bump github.com/mediocregopher/radix/v4 from 4.0.0 to 4.1.0 (https://github.com/sigstore/rekor/pull/781)
+* Bump anchore/sbom-action from 0.10.0 to 0.11.0 (https://github.com/sigstore/rekor/pull/779)
+* Bump actions/checkout from 3.0.0 to 3.0.1 (https://github.com/sigstore/rekor/pull/778)
+* Bump github.com/spf13/viper from 1.10.1 to 1.11.0 (https://github.com/sigstore/rekor/pull/777)
+* Bump sigstore/cosign-installer from 2.2.0 to 2.2.1 (https://github.com/sigstore/rekor/pull/776)
 
 ## Contributors
 
@@ -98,109 +117,109 @@ Notice: The server side remote fetching of resources will be removed in the next
 
 ## Enhancements
 
-* Create EntryID for new artifacts and return EntryID to user (#623)
-* Add search through inactive shards for GET by UUID (#750)
-* Add in configmap to release for sharding config (#766)
-* set p.Block after parsing; other cleanup (#759)
-* Add index to hashed intoto envelope (#761)
-* Add the SHA256 digest of the intoto payload into the rekor entry (#764)
-* Add support for providing certificate chain for X509 signature types (#747)
-* Specify public key for inactive shards in shard config (#746)
-* Use active tree on server startup (#727)
-* Require tlog_id when inactive shard config file is passed in (#739)
-* Replace `trillian_log_server.log_id_ranges` flag with a config file (#742)
-* Update loginfo API endpoint to return information about inactive shards (#738)
-* Refactor rekor-cli loginfo (#734)
-* Get log proofs by Tree ID (#733)
-* Return virtual index when creating and getting a log entry (#725)
-* Clearer logging for createAndInitTree (#724)
-* Change TreeID to be of type `string` instead of `int64` (#712)
-* Switch to using the swag library for pointer manipulation. (#719)
-* Make the loginfo command a bit more future/backwards proof. (#718)
-* Use logRangesFlag in API, route reads based on TreeID (#671)
-* Set rekor-cli User-Agent header on requests (#684)
-* create namespace for rekor config in yaml. (#680)
-* add securityContext to deployment. (#678)
-* Move k8s objects out of the default namespace (#674)
+* Create EntryID for new artifacts and return EntryID to user (https://github.com/sigstore/rekor/pull/623)
+* Add search through inactive shards for GET by UUID (https://github.com/sigstore/rekor/pull/750)
+* Add in configmap to release for sharding config (https://github.com/sigstore/rekor/pull/766)
+* set p.Block after parsing; other cleanup (https://github.com/sigstore/rekor/pull/759)
+* Add index to hashed intoto envelope (https://github.com/sigstore/rekor/pull/761)
+* Add the SHA256 digest of the intoto payload into the rekor entry (https://github.com/sigstore/rekor/pull/764)
+* Add support for providing certificate chain for X509 signature types (https://github.com/sigstore/rekor/pull/747)
+* Specify public key for inactive shards in shard config (https://github.com/sigstore/rekor/pull/746)
+* Use active tree on server startup (https://github.com/sigstore/rekor/pull/727)
+* Require tlog_id when inactive shard config file is passed in (https://github.com/sigstore/rekor/pull/739)
+* Replace `trillian_log_server.log_id_ranges` flag with a config file (https://github.com/sigstore/rekor/pull/742)
+* Update loginfo API endpoint to return information about inactive shards (https://github.com/sigstore/rekor/pull/738)
+* Refactor rekor-cli loginfo (https://github.com/sigstore/rekor/pull/734)
+* Get log proofs by Tree ID (https://github.com/sigstore/rekor/pull/733)
+* Return virtual index when creating and getting a log entry (https://github.com/sigstore/rekor/pull/725)
+* Clearer logging for createAndInitTree (https://github.com/sigstore/rekor/pull/724)
+* Change TreeID to be of type `string` instead of `int64` (https://github.com/sigstore/rekor/pull/712)
+* Switch to using the swag library for pointer manipulation. (https://github.com/sigstore/rekor/pull/719)
+* Make the loginfo command a bit more future/backwards proof. (https://github.com/sigstore/rekor/pull/718)
+* Use logRangesFlag in API, route reads based on TreeID (https://github.com/sigstore/rekor/pull/671)
+* Set rekor-cli User-Agent header on requests (https://github.com/sigstore/rekor/pull/684)
+* create namespace for rekor config in yaml. (https://github.com/sigstore/rekor/pull/680)
+* add securityContext to deployment. (https://github.com/sigstore/rekor/pull/678)
+* Move k8s objects out of the default namespace (https://github.com/sigstore/rekor/pull/674)
 
 ## Bug Fixes
 
-* Fix search without sha prefix (#767)
-* Fix link in types README (#765)
-* fix typo in filename (#758)
-* fix build date format for version command (#745)
-* fix merge conflict (#720)
+* Fix search without sha prefix (https://github.com/sigstore/rekor/pull/767)
+* Fix link in types README (https://github.com/sigstore/rekor/pull/765)
+* fix typo in filename (https://github.com/sigstore/rekor/pull/758)
+* fix build date format for version command (https://github.com/sigstore/rekor/pull/745)
+* fix merge conflict (https://github.com/sigstore/rekor/pull/720)
 
 ## Documentation
 
-* Add documentation about Alpine type (#697)
-* update security process link (#685)
-* Add intoto type documentation (#679)
-* Add docs about API stabilitly and deprecation policy (#661)
+* Add documentation about Alpine type (https://github.com/sigstore/rekor/pull/697)
+* update security process link (https://github.com/sigstore/rekor/pull/685)
+* Add intoto type documentation (https://github.com/sigstore/rekor/pull/679)
+* Add docs about API stabilitly and deprecation policy (https://github.com/sigstore/rekor/pull/661)
 
 ## Others
 
-* Bump github.com/go-openapi/spec from 0.20.4 to 0.20.5 (#768)
-* Bump anchore/sbom-action from 0.9.0 to 0.10.0 (#763)
-* Bump github/codeql-action from 2.1.7 to 2.1.8 (#762)
-* Update release jobs and trillian images (#756)
-* Bump sigstore/cosign-installer from 2.1.0 to 2.2.0 (#757)
-* Bump anchore/sbom-action from 0.8.0 to 0.9.0 (#754)
-* Bump codecov/codecov-action from 2.1.0 to 3 (#753)
-* Bump github/codeql-action from 2.1.6 to 2.1.7 (#752)
-* Bump google-github-actions/auth from 0.6.0 to 0.7.0 (#751)
-* Bump github/codeql-action from 1.1.5 to 2.1.6 (#748)
-* Bump anchore/sbom-action from 0.7.0 to 0.8.0 (#743)
-* Bump google.golang.org/protobuf from 1.27.1 to 1.28.0 (#744)
-* Bump github.com/go-openapi/runtime from 0.23.2 to 0.23.3 (#740)
-* Bump github/codeql-action from 1.1.4 to 1.1.5 (#736)
-* Use reusuable release workflow in sigstore/sigstore (#729)
-* Fix copy/paste mistake in repo name. (#730)
-* Bump github.com/spf13/cobra from 1.3.0 to 1.4.0 (#728)
-* Bump golang from `ca70980` to `c7c9458` (#722)
-* Bump google.golang.org/grpc from 1.44.0 to 1.45.0 (#723)
-* Add sharding e2e test to Github Actions (#714)
-* Bump github.com/go-playground/validator/v10 from 10.10.0 to 10.10.1 (#717)
-* Bump github/codeql-action from 1.1.3 to 1.1.4 (#716)
-* Add trillian container to existing release. (#715)
-* Bump golang from `0168c35` to `ca70980` (#707)
-* Mirror signed release images from GCR to GHCR as part of release (#701)
-* Bump anchore/sbom-action from 0.6.0 to 0.7.0 (#709)
-* Bump github.com/go-openapi/runtime from 0.23.1 to 0.23.2 (#710)
-* Bump sigstore/cosign-installer from 2.0.1 to 2.1.0 (#708)
-* Generate release yaml artifact. (#702)
-* Bump actions/upload-artifact from 2.3.1 to 3 (#704)
-* Go update to 1.17.8 and cosign to 1.6.0 (#705)
-* Consistent parenthesis use in Makefile (#700)
-* add code coverage to pull request. (#676)
-* Bump actions/checkout from 2.4.0 to 3 (#698)
-* Bump goreleaser/goreleaser-action from 2.9.0 to 2.9.1 (#696)
-* Bump actions/setup-go from 2.2.0 to 3.0.0 (#694)
-* Bump github.com/secure-systems-lab/go-securesystemslib (#695)
-* Bump golangci/golangci-lint-action from 3.0.0 to 3.1.0 (#693)
-* Bump goreleaser/goreleaser-action from 2.8.1 to 2.9.0 (#692)
-* Bump golangci/golangci-lint-action from 2.5.2 to 3 (#691)
-* Bump github/codeql-action from 1.1.2 to 1.1.3 (#690)
-* Bump github.com/go-openapi/runtime from 0.23.0 to 0.23.1 (#689)
-* explicitly set permissions for github actions (#687)
-* Bump sigstore/cosign-installer from 2.0.0 to 2.0.1 (#686)
-* Bump ossf/scorecard-action from 1.0.3 to 1.0.4 (#683)
-* Bump github/codeql-action from 1.1.0 to 1.1.2 (#682)
-* Bump actions/github-script from 5.1.0 to 6 (#669)
-* Bump github/codeql-action from 1.0.32 to 1.1.0 (#668)
-* update cross-build and dockerfile to use go 1.17.7 (#666)
-* Bump gopkg.in/ini.v1 from 1.66.3 to 1.66.4 (#664)
-* Bump actions/setup-go from 2.1.5 to 2.2.0 (#663)
-* Bump golang from `301609e` to `fff998d` (#662)
-* use upstream k8s version lib (#657)
-* Bump github/codeql-action from 1.0.31 to 1.0.32 (#659)
-* Bump go.uber.org/zap from 1.20.0 to 1.21.0 (#660)
-* Bump github.com/go-openapi/strfmt from 0.21.1 to 0.21.2 (#656)
-* Bump github.com/go-openapi/runtime from 0.22.0 to 0.23.0 (#655)
-* Update the warning text for the GA release. (#654)
-* attempting to fix codeowners file (#653)
-* update release job (#651)
-* Bump google-github-actions/auth from 0.5.0 to 0.6.0 (#652)
+* Bump github.com/go-openapi/spec from 0.20.4 to 0.20.5 (https://github.com/sigstore/rekor/pull/768)
+* Bump anchore/sbom-action from 0.9.0 to 0.10.0 (https://github.com/sigstore/rekor/pull/763)
+* Bump github/codeql-action from 2.1.7 to 2.1.8 (https://github.com/sigstore/rekor/pull/762)
+* Update release jobs and trillian images (https://github.com/sigstore/rekor/pull/756)
+* Bump sigstore/cosign-installer from 2.1.0 to 2.2.0 (https://github.com/sigstore/rekor/pull/757)
+* Bump anchore/sbom-action from 0.8.0 to 0.9.0 (https://github.com/sigstore/rekor/pull/754)
+* Bump codecov/codecov-action from 2.1.0 to 3 (https://github.com/sigstore/rekor/pull/753)
+* Bump github/codeql-action from 2.1.6 to 2.1.7 (https://github.com/sigstore/rekor/pull/752)
+* Bump google-github-actions/auth from 0.6.0 to 0.7.0 (https://github.com/sigstore/rekor/pull/751)
+* Bump github/codeql-action from 1.1.5 to 2.1.6 (https://github.com/sigstore/rekor/pull/748)
+* Bump anchore/sbom-action from 0.7.0 to 0.8.0 (https://github.com/sigstore/rekor/pull/743)
+* Bump google.golang.org/protobuf from 1.27.1 to 1.28.0 (https://github.com/sigstore/rekor/pull/744)
+* Bump github.com/go-openapi/runtime from 0.23.2 to 0.23.3 (https://github.com/sigstore/rekor/pull/740)
+* Bump github/codeql-action from 1.1.4 to 1.1.5 (https://github.com/sigstore/rekor/pull/736)
+* Use reusuable release workflow in sigstore/sigstore (https://github.com/sigstore/rekor/pull/729)
+* Fix copy/paste mistake in repo name. (https://github.com/sigstore/rekor/pull/730)
+* Bump github.com/spf13/cobra from 1.3.0 to 1.4.0 (https://github.com/sigstore/rekor/pull/728)
+* Bump golang from `ca70980` to `c7c9458` (https://github.com/sigstore/rekor/pull/722)
+* Bump google.golang.org/grpc from 1.44.0 to 1.45.0 (https://github.com/sigstore/rekor/pull/723)
+* Add sharding e2e test to Github Actions (https://github.com/sigstore/rekor/pull/714)
+* Bump github.com/go-playground/validator/v10 from 10.10.0 to 10.10.1 (https://github.com/sigstore/rekor/pull/717)
+* Bump github/codeql-action from 1.1.3 to 1.1.4 (https://github.com/sigstore/rekor/pull/716)
+* Add trillian container to existing release. (https://github.com/sigstore/rekor/pull/715)
+* Bump golang from `0168c35` to `ca70980` (https://github.com/sigstore/rekor/pull/707)
+* Mirror signed release images from GCR to GHCR as part of release (https://github.com/sigstore/rekor/pull/701)
+* Bump anchore/sbom-action from 0.6.0 to 0.7.0 (https://github.com/sigstore/rekor/pull/709)
+* Bump github.com/go-openapi/runtime from 0.23.1 to 0.23.2 (https://github.com/sigstore/rekor/pull/710)
+* Bump sigstore/cosign-installer from 2.0.1 to 2.1.0 (https://github.com/sigstore/rekor/pull/708)
+* Generate release yaml artifact. (https://github.com/sigstore/rekor/pull/702)
+* Bump actions/upload-artifact from 2.3.1 to 3 (https://github.com/sigstore/rekor/pull/704)
+* Go update to 1.17.8 and cosign to 1.6.0 (https://github.com/sigstore/rekor/pull/705)
+* Consistent parenthesis use in Makefile (https://github.com/sigstore/rekor/pull/700)
+* add code coverage to pull request. (https://github.com/sigstore/rekor/pull/676)
+* Bump actions/checkout from 2.4.0 to 3 (https://github.com/sigstore/rekor/pull/698)
+* Bump goreleaser/goreleaser-action from 2.9.0 to 2.9.1 (https://github.com/sigstore/rekor/pull/696)
+* Bump actions/setup-go from 2.2.0 to 3.0.0 (https://github.com/sigstore/rekor/pull/694)
+* Bump github.com/secure-systems-lab/go-securesystemslib (https://github.com/sigstore/rekor/pull/695)
+* Bump golangci/golangci-lint-action from 3.0.0 to 3.1.0 (https://github.com/sigstore/rekor/pull/693)
+* Bump goreleaser/goreleaser-action from 2.8.1 to 2.9.0 (https://github.com/sigstore/rekor/pull/692)
+* Bump golangci/golangci-lint-action from 2.5.2 to 3 (https://github.com/sigstore/rekor/pull/691)
+* Bump github/codeql-action from 1.1.2 to 1.1.3 (https://github.com/sigstore/rekor/pull/690)
+* Bump github.com/go-openapi/runtime from 0.23.0 to 0.23.1 (https://github.com/sigstore/rekor/pull/689)
+* explicitly set permissions for github actions (https://github.com/sigstore/rekor/pull/687)
+* Bump sigstore/cosign-installer from 2.0.0 to 2.0.1 (https://github.com/sigstore/rekor/pull/686)
+* Bump ossf/scorecard-action from 1.0.3 to 1.0.4 (https://github.com/sigstore/rekor/pull/683)
+* Bump github/codeql-action from 1.1.0 to 1.1.2 (https://github.com/sigstore/rekor/pull/682)
+* Bump actions/github-script from 5.1.0 to 6 (https://github.com/sigstore/rekor/pull/669)
+* Bump github/codeql-action from 1.0.32 to 1.1.0 (https://github.com/sigstore/rekor/pull/668)
+* update cross-build and dockerfile to use go 1.17.7 (https://github.com/sigstore/rekor/pull/666)
+* Bump gopkg.in/ini.v1 from 1.66.3 to 1.66.4 (https://github.com/sigstore/rekor/pull/664)
+* Bump actions/setup-go from 2.1.5 to 2.2.0 (https://github.com/sigstore/rekor/pull/663)
+* Bump golang from `301609e` to `fff998d` (https://github.com/sigstore/rekor/pull/662)
+* use upstream k8s version lib (https://github.com/sigstore/rekor/pull/657)
+* Bump github/codeql-action from 1.0.31 to 1.0.32 (https://github.com/sigstore/rekor/pull/659)
+* Bump go.uber.org/zap from 1.20.0 to 1.21.0 (https://github.com/sigstore/rekor/pull/660)
+* Bump github.com/go-openapi/strfmt from 0.21.1 to 0.21.2 (https://github.com/sigstore/rekor/pull/656)
+* Bump github.com/go-openapi/runtime from 0.22.0 to 0.23.0 (https://github.com/sigstore/rekor/pull/655)
+* Update the warning text for the GA release. (https://github.com/sigstore/rekor/pull/654)
+* attempting to fix codeowners file (https://github.com/sigstore/rekor/pull/653)
+* update release job (https://github.com/sigstore/rekor/pull/651)
+* Bump google-github-actions/auth from 0.5.0 to 0.6.0 (https://github.com/sigstore/rekor/pull/652)
 
 ## Contributors
 

From 85e60c54da3afb3c1ecdf2b42184afe8199e3fb2 Mon Sep 17 00:00:00 2001
From: Bob Callaway <bobcallaway@users.noreply.github.com>
Date: Mon, 20 Jun 2022 05:12:26 -0500
Subject: [PATCH 4/4] collect docker-compose logs if sharding tests fail, also
 trim IDs (#869)

* collect docker-compose logs if sharding tests fail, also trim IDs

Signed-off-by: Bob Callaway <bcallaway@google.com>

* s/TRAP/trap, test failure case

Signed-off-by: Bob Callaway <bcallaway@google.com>

* fix left padding, rename log uploads, remove failure test

Co-authored-by: Bob Callaway <bcallaway@google.com>
Co-authored-by: Fredrik Skogman <kommendorkapten@github.com>

* add missing negation

Signed-off-by: Bob Callaway <bcallaway@google.com>

* fix return code logic

Signed-off-by: Bob Callaway <bcallaway@google.com>

Co-authored-by: Fredrik Skogman <kommendorkapten@github.com>
---
 .github/workflows/main.yml |  4 ++--
 tests/sharding-e2e-test.sh | 23 +++++++++++++++++++----
 2 files changed, 21 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 4efa8b533..3ea851f1c 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -86,7 +86,7 @@ jobs:
         uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # v3
         if: failure()
         with:
-          name: Docker Compose logs
+          name: E2E Docker Compose logs
           path: /tmp/docker-compose.log
 
   sharding-e2e:
@@ -110,5 +110,5 @@ jobs:
         uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # v3
         if: failure()
         with:
-          name: Docker Compose logs
+          name: Sharding E2E Docker Compose logs
           path: /tmp/docker-compose.log
diff --git a/tests/sharding-e2e-test.sh b/tests/sharding-e2e-test.sh
index dc1164d29..bcdb3c375 100755
--- a/tests/sharding-e2e-test.sh
+++ b/tests/sharding-e2e-test.sh
@@ -81,6 +81,21 @@ function waitForRekorServer () {
   echo
 }
 
+function collectLogsOnFailure () {
+    if [[ "$1" -ne "0" ]]; then
+        echo "failure detected, collecting docker-compose logs"
+        docker-compose logs --no-color > /tmp/docker-compose.log
+        exit $1
+    elif docker-compose logs --no-color | grep -q "panic: runtime error:" ; then
+        # if we're here, we found a panic
+        echo "failing due to panics detected in logs"
+        docker-compose logs --no-color > /tmp/docker-compose.log
+        exit 1
+    fi
+    exit 0
+}
+trap "collectLogsOnFailure $?" EXIT
+
 echo "Waiting for rekor server to come up..."
 waitForRekorServer
 
@@ -231,11 +246,11 @@ echo "Testing /api/v1/log/entries/retrieve endpoint..."
 UUID1=$($REKOR_CLI get --log-index 0 --rekor_server http://localhost:3000 --format json | jq -r .UUID)
 UUID2=$($REKOR_CLI get --log-index 3 --rekor_server http://localhost:3000 --format json | jq -r .UUID)
 
-HEX_INITIAL_TREE_ID=$(printf "%x" $INITIAL_TREE_ID | awk '{printf "%016s", $0}')
-HEX_INITIAL_SHARD_ID=$(printf "%x" $SHARD_TREE_ID | awk '{printf "%016s", $0}')
+HEX_INITIAL_TREE_ID=$(printf "%x" $INITIAL_TREE_ID | awk '{ for(c = 0; c < 16 ; c++) s = s"0"; s = s$1; print substr(s, 1 + length(s) - 16);}')
+HEX_INITIAL_SHARD_ID=$(printf "%x" $SHARD_TREE_ID | awk '{ for(c = 0; c < 16 ; c++) s = s"0"; s = s$1; print substr(s, 1 + length(s) - 16);}')
 
-ENTRY_ID_1=$HEX_INITIAL_TREE_ID$UUID1
-ENTRY_ID_2=$HEX_INITIAL_SHARD_ID$UUID2
+ENTRY_ID_1=$(echo -n "$HEX_INITIAL_TREE_ID$UUID1" | xargs echo -n)
+ENTRY_ID_2=$(echo -n "$HEX_INITIAL_SHARD_ID$UUID2" | xargs echo -n)
 
 # -f makes sure we exit on failure
 NUM_ELEMENTS=$(curl -f http://localhost:3000/api/v1/log/entries/retrieve -H "Content-Type: application/json" -H "Accept: application/json" -d "{ \"entryUUIDs\": [\"$ENTRY_ID_1\", \"$ENTRY_ID_2\"]}" | jq '. | length')