support signing and returning multiple files in a signing request

[g-k]

Blocks #742 #744

Possible implementation:

1. add a POST /sign/files endpoint with request format accepting an array of base64 encoded files (like /sign/file):

POST /sign/files
Host: autograph.example.net
Content-type: application/json
Authorization: Hawk id="alice", mac="756lSgQEYLoc6V0Uv2wS8pRg/h+4WFUVKWQynCFvY8Y=", ts="1524487134", nonce="MrpGL35q", hash="9m3WhtGQDuHermi5fDYBGJlOqNeK5B3nk0lKreZ+YSw=", ext="933126753"

[
    {
      "inputs": [
           "UEsDBBQACAAIAAAAAAAAAAAAAAAAAAAAAAATAAAAQW5kcm9pZE1hbmlmZXN0LnhtbKSYS2ybx7XHf0PqbVmW4...BwAACigAAAAA",
           "UEsDBBQACAAIAAAAAAAAAAAAAAAAAAAAAAATAAAAQW5kcm9pZE1hbmlmZXN0LnhtbKSYS2ybx7XHf0PqbVmW4...BwAACigAAAAA",
           ...
     ],
      "keyid":"testapp-android-v3",
      "options":null
    }
]

2. add a new interface with a new method .SignFiles() that accepts a slice of input files and returns a slice of signed files (instead of single values):

type MultipleFileSigner {
  SignFiles(files [][]byte, options interface{}) ([]SignedFile, error)
  GetDefaultOptions() interface{}
} 

3. return responses with an array of dicts of signed filename to base64 file contents:

[
  {
    "ref": "1p21kj11od4no13o1xepn22mkc",
    "type": "debsign",
    "mode": "???",
    "signer_id": "debsign1",
    "public_key": "MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE7oM/ewOhz6qtHyQhqJvT3SiefGPWqGwEUAZGVkuSIwvteVKrd8jnAjHYyCaYpIg9Vo10WnhXvm96L3KAbOE6Cyu3fMtKhZZIMf+Qqes9+66ae/NTeIWlDiGrjNeD+ClM",
    "signed_files": [
           {"filename": "foo_signed.sig", "base64_content":  "Niffk674SNKzQaq23z2sv7xkU_IEgrPc8_tEFGw0bYXlNJDpAPe7hEaipyg-wY10_XUzkoRphtYVIAa70Hw22EkWfSGAdzosEYyxsDai52PG088KqasP_nd_byiiqIAz"},
           {"filename": "bar_signed.sig", "base64_content":  "Niffk674SNKzQaq23z2sv7xkU_IEgrPc8_tEFGw0bYXlNJDpAPe7hEaipyg-wY10_XUzkoRphtYVIAa70Hw22EkWfSGAdzosEYyxsDai52PG088KqasP_nd_byiiqIAz"},
           ...
     ]
  }
]

We'd update logs to include the input and output hashes of each file, and monitoring would ignore the multifile responses (like the apk2 signer; pending #622).

Alternative options:

• require clients to pack the files beforehand (e.g. as a tarball) then unpack them on the server side and repack them
• accept files in a different encoding server and client support alternate encodings #276 (this could also make Return serial number of the signed certificate #214 easier too)

see also: https://mozilla-hub.atlassian.net/browse/ITSEC-105 about the possibility of switching to one signing request per http request (simplifies including http response codes in the application layer for #318 too)

[g-k]

f? @ajvb @kkleemola on server implementation

f? @bhearsum on client implementation preferences

[bhearsum]

I'm happy with the proposed /sign/files interface. Implementing support for it in signingscript is probably a bit more work due to one-file-per-request being assumed in a few places there, but I don't think it's a ton of work to change that.

@escapewindow may have thoughts too.

[escapewindow]

+1, I think we can figure it out on the signingscript side.