Add index to hashed intoto envelope

[asraa]

Signed-off-by: Asra Ali asraa@google.com

Summary

Ticket Link

Related #646

This allows searching for a rekor entry by the signed envelope hash. E.g. if a user has provenance.intoto.jsonl, then currently we can't search for that provenance unless we take the hash of the payload or Subject.Digest's. This way cosign will also verify-blob the hard way by searching for the artifact file hash.

The hash is the same as the hash in the rekor entry:

"Body": {
    "IntotoObj": {
      "content": {
        "hash": {
          "algorithm": "sha256",
          "value": "d05ff19cea34cd451c0a3133dc44d933e706fa00a910192f28b8dbe43d373020"
        }
      },
      "publicKey": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURQRENDQXNHZ0F3SUJBZ0lUSWl6UUNLQmJGODNkU2YvYjhEdklVWUhsZ2pBS0JnZ3Foa2pPUFFRREF6QXEKTVJVd0V3WURWUVFLRXd4emFXZHpkRzl5WlM1a1pYWXhFVEFQQmdOVkJBTVRDSE5wWjNOMGIzSmxNQjRYRFRJeQpNRFF3TkRFMU1qVXdNVm9YRFRJeU1EUXdOREUxTXpVd01Gb3dBREJaTUJNR0J5cUdTTTQ5QWdFR0NDcUdTTTQ5CkF3RUhBMElBQkJTbHNOVWZDcmtKZGh3U3lnOWc3T3c4dStpSEx5L1hFNXpCbTl2czVSZmlkbk53UGg2dVlHeUUKeDdOa2V2UVZIZHJNR0lnYzFsd2NDeFZxN3c1UDllK2pnZ0h1TUlJQjZqQU9CZ05WSFE4QkFmOEVCQU1DQjRBdwpFd1lEVlIwbEJBd3dDZ1lJS3dZQkJRVUhBd013REFZRFZSMFRBUUgvQkFJd0FEQWRCZ05WSFE0RUZnUVVlalJiCmRvbXZteTZSbEMyK0IreXdpbmlPTHpVd0h3WURWUjBqQkJnd0ZvQVVXTUFlWDVGRnBXYXBlc3lRb1pNaTBDckYKeGZvd2RnWURWUjBSQVFIL0JHd3dhb1pvYUhSMGNITTZMeTluYVhSb2RXSXVZMjl0TDNOc2MyRXRabkpoYldWMwpiM0pyTDNOc2MyRXRaMmwwYUhWaUxXZGxibVZ5WVhSdmNpMW5ieTh1WjJsMGFIVmlMM2R2Y210bWJHOTNjeTlpCmRXbHNaR1Z5TG5sdGJFQnlaV1p6TDJobFlXUnpMMjFoYVc0d0h3WUtLd1lCQkFHRHZ6QUJBZ1FSZDI5eWEyWnMKYjNkZlpHbHpjR0YwWTJnd0xnWUtLd1lCQkFHRHZ6QUJCUVFnYkdGMWNtVnVkSE5wYlc5dUwzTnNjMkV0YjI0dApaMmwwYUhWaUxYUmxjM1F3R2dZS0t3WUJCQUdEdnpBQkJBUU1VMHhUUVNCU1pXeGxZWE5sTURrR0Npc0dBUVFCCmc3OHdBUUVFSzJoMGRIQnpPaTh2ZEc5clpXNHVZV04wYVc5dWN5NW5hWFJvZFdKMWMyVnlZMjl1ZEdWdWRDNWoKYjIwd05nWUtLd1lCQkFHRHZ6QUJBd1FvWkRObVpEazBPREpsTmpoa01qYzJaVFk1WXpCaE9HSXpaamRsWVdGaQpZak5pT1dVMU5qWTVOVEFkQmdvckJnRUVBWU8vTUFFR0JBOXlaV1p6TDJobFlXUnpMMjFoYVc0d0NnWUlLb1pJCnpqMEVBd01EYVFBd1pnSXhBSndFd0lTUk1FOW10SjAzamR6ZUFMYUdaUmNSckJmaTU4bUVFNHlCaXAvSkFPTGMKd1lPamQ0a09YNjJ4ejJqaXh3SXhBSUVEWGxsTFhhY3BZSFF6eWJzQU9IUTlkblFLWDFUdlJOZkZLN1lIM2ZxVgo0TEpQazloQUJ5Qkh1dE1KVGFJb3N3PT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo="
    }

Release Note

[codecov-commenter]

Codecov Report

Merging #761 (de65048) into main (3de8b60) will decrease coverage by 0.10%.
The diff coverage is 37.50%.

@@            Coverage Diff             @@
##             main     #761      +/-   ##
==========================================
- Coverage   49.15%   49.04%   -0.11%     
==========================================
  Files          61       61              
  Lines        5566     5574       +8     
==========================================
- Hits         2736     2734       -2     
- Misses       2536     2545       +9     
- Partials      294      295       +1     

Impacted Files	Coverage Δ
pkg/types/intoto/v0.0.1/entry.go	35.51% <37.50%> (+0.09%)	⬆️
pkg/types/helm/v0.0.1/entry.go	52.41% <0.00%> (-1.21%)	⬇️
pkg/types/alpine/v0.0.1/entry.go	61.24% <0.00%> (-0.78%)	⬇️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 3de8b60...de65048. Read the comment docs.