<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#31605
I manually scanned our inlined dependencies for vulnerabilities and did
not find any relevant ones.
I added a dummy directory pointing at the source of our inlined
dependencies so that automated vuln scanning tools can scan them. I did
not include Kolide since the code was heavily adapted and only included
a few tables.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Established infrastructure for automated vulnerability scanning of
inlined third-party dependencies in Go and JavaScript environments, with
comprehensive documentation and configuration to enable scanning via
standard tools.
* **Chores**
* Updated gitignore configuration to refine dependency file tracking
across the project.
<sub>✏️ Tip: You can customize this high-level summary in your review
settings.</sub>
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Fixes#32393
httpsig-go library has encorporated the changes needed to support TPM,
so we are removing our local version of this library.
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
## Testing
- [x] QA'd all new/changed functionality manually
## fleetd/orbit/Fleet Desktop
- [x] Verified compatibility with the latest released version of Fleet
(see [Must
rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md))
For #30473
This change adds a vendored `httpsig-go` library to our repo. We cannot
use the upstream library because it has not merged the change we need:
https://github.com/remitly-oss/httpsig-go/pull/25
Thus, we need our own copy at this point.
The instructions for keeping this library up to date (if needed) are in
`UPDATE_INSTRUCTIONS`.
None of the coderabbitai review comments are relevant to the
code/features we are going to use for HTTP message signatures.
We will use this library in subsequent PRs for the TPM-backed HTTP
message signature feature.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Introduced a Go library for HTTP message signing and verification,
supporting multiple cryptographic algorithms (RSA, ECDSA, Ed25519,
HMAC).
* Added utilities for key management, including JWK and PEM key
handling.
* Provided HTTP client and server helpers for automatic request signing
and signature verification.
* Implemented structured error handling and metadata extraction for
signatures.
* **Documentation**
* Added comprehensive README, usage examples, and update instructions.
* Included license and configuration files for third-party and testing
tools.
* **Tests**
* Added extensive unit, integration, and fuzz tests covering signing,
verification, and key handling.
* Included official RFC test vectors and various test data files for
robust validation.
* **Chores**
* Integrated continuous integration workflows and ignore files for code
quality and security analysis.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
