fix #743 multiple file signing
fix #744 debsign support

Note: this is a combined PR since an interface without an implementation wasn't terribly useful.

Changes:

Implement support for signing multiple files #743

• Add optional files field to the signature request format in 570472e
• Add optional signed_files field to the signature response format in 2a964b8
• Add a named file format with docs and an example:

[
    {
        "content": "UEsDBBQACAAIAAAAAAAAAAAAAAAAAAAAAAATAAAAQW5kcm9pZE1hbmlmZXN0LnhtbKSYS2ybx7XHf0PqbVmW4...BwAACigAAAAA",
        "name": "sphinx_1.7.2-1.dsc"
    },
    {
        "content": "UEsDBBQACAAIAAAAAAAAAAAAAAAAAAAAAAATAAAAQW5kcm9pZE1hbmlmZXN0LnhtbKSYS2ybx7XHf0PqbVmW4...BwAACigAAAAA",
        "name": "sphinx_1.7.2-1.changes"
    }
]

This adds the name field to the proposal in #743, because debsign needs the file extension. Restrictions on the name field and number of files is documented here and aim to limit the potential for path/directory traversal and DoS.

Signers that shell out have to decide how to map the named files to arguments. It doesn't provide a way to group or partition args for commands that take multiple variable args e.g. cmd --json-inputs a.json b.json c.json ... --csv-input d.csv e.csv ..., but our two immediate use cases don't require that flexibility.

• Add a new signer interface:

// MultipleFileSigner is an interface to a signer that signs multiple
// files in one signing operation
type MultipleFileSigner interface {
	SignFiles(files []NamedUnsignedFile, options interface{}) ([]NamedSignedFile, error)
	GetDefaultOptions() interface{}
}

where NamedUnsignedFile and NamedSignedFile encode the signing operation in types to prevent misuse and are both aliased to the marshaled version of the named file format:

type namedFile struct {
	Name  string
	Bytes []byte
}

• wire the new signing interface to /sign/files as originally proposed
• compute and log input and output SHA2 hashes for each input and output file as in the original proposal

Add a debsign mode to the gpg2 signer #744

• implemented as a new debsign signing mode that:
  • creates a tmp dir on signer init / autograph boot; loads the keys; writes a gpg.conf file (because we can't pass args to gpg2 via debsign); is cleaned up in the at exit handler
  • reuses the existing global gpg lock, because debsign calls gpg or gpg2
  • only supports /sign/files for end users (/sign/data will on sign the hardcoded monitoring input)
  • does not accept files with the .commands extension. debsign accepts .commandsfiles, but [we don't use them](https://github.com/mozilla-services/autograph/issues/744#issuecomment-933661284) and it appears to support runningrm` and other commands, which we'd like to avoid.
• to avoid a breaking config change, existing gpg signers will use the current gpg2 mode when one is not provided
• for each request it writes input files to a separate temp dir; calls debsign on them; write the gpg passphrase to stdin repeatedly (keeping it off disk as before); reads the clear signed input files; deletes the temp dir

Other changes

• gpg2 signer
  • add mode to the signer keyring temp dir name
  • add --no-options and --homedir set to the keyring temp dir to key load and detach sign gpg commands and run them from keyring temp dir to avoid creating and using /app/.gnupg for gpg home
• install autograph-client into /go/bin in f872ea0
• add a gpg-test-clean make target in f872ea0
• change the handlers bad request test to run in parallel and check for 400 responses and not just != 201
• teach tools/autograph-client about multiple input files and add the -outfilesprefix option