Implement signature audit tooling #98
Description
As suggested by Miloslav Trmač:
A set of audit tools should exist so one can clearly answer questions like:
- What artifacts did the server sign?
- What was the origin of the artifact?
- Who submitted that artifact to be signed?
Obviously the server, bridge, and client should produce high quality logs, but it might be useful to have the server and client produce SQLite databases with records of everything. The server can record everything it signs, when it signs it, the authenticated user, and what the request ID was (generated by the bridge and sent to both the server and client). The client (robosignatory) could record where it got the content from and all the interesting details about it.
An admin could then get those two databases together and a CLI tool could join up the data and look for oddities, produce reports, and whatnot.