Adds a new rego builtin `attest.internals.reproducible_git_checksum`.
This is needed for verifying DOI provenance, see
https://github.com/docker/doi-image-policy/blob/main/slsa.md#doi-build-reproducible-git-checksum.
We use https://github.com/go-git/go-git for as much of this as possible,
but it doesn't support the actual archive operation, so we shell out to
`git` for that.
There is some similar unexported code in bashbrew, and we should
probably be using the same code in the build process as we are here.
I'll create a follow-up ticket to sort that out.
* build: Generate test data for unsigned and no provenance image indexes
* feat: Add function to build index without SBOM or provenance for linux/amd64 platform
* feat: add build_image function to build image without SBOM or provenance for linux/amd64
* feat: Rename NO_SBOM_NO_PROVENANCE_INDEX_DIR to UNSIGNED_IMAGE_DIR
* feat: support images in details resolvers
* feature!: support for setting HTTP User-Agent header
* fix lint
* fix e2e
* refactor: move http.go to internal/util/useragent package and rename functions to Get and Set
* Move packages and use attest version
* Single attestation when creating VSA
* Create single layer images for referrers attestations
* Move mock to test package. Add artifacts test
* Add test for envelope detection
* Add tests for image/index saving
* Add mirror tests
* Remove AttestationImage field from AttestationManifest
* Update naming. strictReferers != laxReferrers
* Add specific test for SaveReferrers
* Start of richer results from verification
* Pull out VSA code from signing
* Expose attestation signing fns
* Add VSA test
* Notes for policy result
* Require separate policy for VSA creation
* Load test signing key from tests
* Return rich object from policy
* Add result object schema and fix tests
* Ensure example test runs
* Remove data.yaml files from mock policies
* Don't run example - TUF policy isn't compatible
* Add attestation to manifests for all subjects
* Ensure adding attestation doesn't touch statements
* Don't export sign function
* Remove attestations from VerificationResult
* Change bool to Outcome enum in result
* Use outputLayout directly
* Make clearer that Outcome strings are for VSA
* Return multiple SLSA levels from policy
* Fix unmarshalling of policy-id (#39)
* Rename function
* Rename policy.VerificationResult -> policy.Result
* Re-add test for canonical input
---------
Co-authored-by: James Carnegie <james.carnegie@docker.com>
Co-authored-by: James Carnegie <kipz@users.noreply.github.com>
