sigstore / cosign

Code signing and transparency for containers and binaries
Apache License 2.0
4.51k stars 547 forks source link

sign: Include rekor entry ID in output #3805

Open stephen-fox opened 3 months ago

stephen-fox commented 3 months ago

Summary

cosign's sign* commands currently output a signature's transparency log index number (as of v2.2.4). As an enhancement, it would be helpful if cosign also output the rekor entry ID.

Details

rekor entries can be searched using an index number. However, the index number does not include the log tree (or "shard") ID. These identifiers are created by rekor log sharding.

The rekor entry ID consists of the shard ID and an entry-specific UUID (the latter appears to be the hash of the Merkle tree leaf). Knowing the entry ID allows end users to determine which shard the entry exists in.

It would be helpful to include it in cosign's output for informational and historical purposes.

A quick note on terminology

For those unfamiliar, the use of the term entry ID appears to be relatively recent. The original value was referred to as a "UUID". The rekor-cli still refers to the entry ID as a UUID. The following GitHub issues and pull requests provide some context for this change.

haydentherapper commented 3 months ago

SGTM, would you like to make the change?