cosign's sign* commands currently output a signature's transparency log index number (as of v2.2.4). As an enhancement, it would be helpful if cosign also output the rekor entry ID.
Details
rekor entries can be searched using an index number. However, the index number does not include the log tree (or "shard") ID. These identifiers are created by rekor log sharding.
The rekor entry ID consists of the shard ID and an entry-specific UUID (the latter appears to be the hash of the Merkle tree leaf). Knowing the entry ID allows end users to determine which shard the entry exists in.
It would be helpful to include it in cosign's output for informational and historical purposes.
A quick note on terminology
For those unfamiliar, the use of the term entry ID appears to be relatively recent. The original value was referred to as a "UUID". The rekor-cli still refers to the entry ID as a UUID. The following GitHub issues and pull requests provide some context for this change.
Summary
cosign's
sign*
commands currently output a signature's transparency log index number (as of v2.2.4). As an enhancement, it would be helpful if cosign also output the rekor entry ID.Details
rekor entries can be searched using an index number. However, the index number does not include the log tree (or "shard") ID. These identifiers are created by rekor log sharding.
The rekor entry ID consists of the shard ID and an entry-specific UUID (the latter appears to be the hash of the Merkle tree leaf). Knowing the entry ID allows end users to determine which shard the entry exists in.
It would be helpful to include it in cosign's output for informational and historical purposes.
A quick note on terminology
For those unfamiliar, the use of the term
entry ID
appears to be relatively recent. The original value was referred to as a "UUID". Therekor-cli
still refers to the entry ID as a UUID. The following GitHub issues and pull requests provide some context for this change.