Include the version in the log URL

[mhutchinson]

Our log origin contains a version (in CI, this is 0), but we don't have this version in the log URL. Should we ever need to rotate the log for any reason, this doesn't give us an easy evolution. We would need to create a new GCS bucket. Proposals (choose 1):

1. create a version number at the root of the GCS bucket
2. include the version number in the name of the GCS bucket

curl https://storage.googleapis.com/armored-witness-firmware-log-ci/checkpoint
transparency.dev/armored-witness/firmware_transparency/ci/0
23
XUsNU4iI/vTPiR46SXY/+3WyNMRrSiuG3NRjY29psk8=

— transparency.dev-aw-ftlog-ci 9UecHr5B7ID03aEUTSXEm1vc+l4gSYMsc17q5M2LuKIh9FA5bR7o/LgcVoRDf3iUSbu38Et9SVjao5kdeMHMbhvKVQw=

[jiggoha]

Updating from our meeting today:

• We need to rotate the CI log right now because there are manifests that are not reproducible.
• This is a good opportunity to add the version in the bucket name. We decided that logs will be 1:1 with buckets (for isolation). They also need to be 1:1 with signing keys and 1:1 with the artifacts bucket.
• The first log should be named something like armored-witness-firmware-log-ci-1, because logs will also be 1:1 with KMS key versions. Key versions start at 1, so let's start the log index and artifacts bucket index on 1.

[jiggoha]

The new buckets/logs are now being used after transparency-dev/armored-witness-applet#185 and related PRs. I think the last outstanding thing is to remove the old buckets? I still see these in Pantheon:

• armored-witness-firmware
• armored-witness-firmware-ci
• armored-witness-firmware-log
• armored-witness-firmware-log-ci

The new ones are:

• armored-witness-firmware-1
• armored-witness-firmware-ci-1
• armored-witness-firmware-log-1
• armored-witness-firmware-log-ci-1

[mhutchinson]

@jiggoha anything left to do here? I think we can clean this up :-)