Doc cleanup (#640)

The docs were out of date in a number of places, and information about
dev setup was duplicated. Changes:

* config/DEVELOPMENT - Deleted, information was already in
  ca-kms-support
* config/README - Out of date, Scaffolding should be used
* docs/ctlog - Moved detail on test secret setup from DEVELOPMENT
* docs/developer - Deleted, didn't add anything
* docs/hsm-support - Removed duplicate info about setting up GCP CA
  Service, made the focus of the doc about HSM
* docs/security-model - Removed extraneous info about timestamping and
  transparency logs, Fulcio isn't the right place. Left a little bit of
  detail still. This doc needs some revision and will likely be
  superseded by a threat model doc.
* docs/setup - Small additions from DEVELOPMENT added

Misc:
* Add back gcloud into docker-compose
* Remove SPIFFE provider from test config

Signed-off-by: Hayden Blauzvern <[email protected]>

Author: haydentherapper

config/DEVELOPMENT.md

@@ -16,11 +16,6 @@
       "IssuerClaim": "$.federated_claims.connector_id",
       "Type": "email"
     },
-    "https://oidc.dlorenc.dev": {
-      "IssuerURL": "https://oidc.dlorenc.dev",
-      "ClientID": "sigstore",
-      "Type": "spiffe"
-    },
     "https://token.actions.githubusercontent.com": {
               "IssuerURL": "https://token.actions.githubusercontent.com",
               "ClientID": "sigstore",

config/README.md

@@ -36,6 +36,7 @@ services:
       - "5554:5554"
       - "2112:2112"
     volumes:
+      - ~/.config/gcloud:/root/.config/gcloud/:z # for GCP authentication
       - ./config/config.jsn:/etc/fulcio-config/config.json:z
     healthcheck:
       test: ["CMD", "curl", "-f", "http://localhost:5555/ping"]

config/config.jsn

@@ -101,3 +101,15 @@ We will create new log shards each year. The log's name will be the year. Curren
 at `https://ctfe.sigstore.dev/test`. After sharding the log, the log will be accessible at
 `https://ctfe.sigstore.dev/2022`. We can use the same signing key for each year's shard, so that we don't
 need to distribute a new key each year in the TUF metadata.
+
+## Test secrets
+
+There are test secrets in `ctfe` for **DEVELOPMENT ONLY**.
+They were generated with:
+
+```shell
+openssl ec -in <(openssl ecparam -genkey -name prime256v1) -out privkey.pem -des
+openssl ec -in privkey.pem -pubout -out pubkey.pem
+```
+
+The password is `foobar` and is stored in the `ct_server.cfg` file.