[feature] use search.sigstore.dev as an additional output of the provenance generation

[developer-guy]

Is your feature request related to a problem? Please describe. This is a feature and not related to a problem.

Describe the solution you'd like Based on the recent news^1 that Chainguard contributes the Rekor Search UI project to Sigstore, we might reconsider using this address in one of the outputs about uploading provenance to Rekor.

This site is now served under: search.sigstore.dev

As of now today, slsa-github-generator outputs the following message once it generated provenance:

Uploaded signed attestation to rekor with UUID 24296fb24b8ad77ad7d75dd8666c9c2d015ef7b498511222851da95142c808257ca7986691f9f38f.

From an end-user perspective who might not know how to search this UUID in the transparency log, I thought that we can give information about what would be the next step of using this UUID, for example, we can add an informative message like this:

You can use rekor-cli to see the log entry details:

$ rekor-cli get --uid 24296fb24b8ad77ad7d75dd8666c9c2d015ef7b498511222851da95142c808257ca7986691f9f38f 

OR

You can use search.sigstore.dev to see the log entry details:

https://search.sigstore.dev/?uuid=24296fb24b8ad77ad7d75dd8666c9c2d015ef7b498511222851da95142c808257ca7986691f9f38f

Similar to this issue in Tekton Chains: https://github.com/tektoncd/chains/issues/576

[ianlewis]

@developer-guy Just to be clear, would simply outputting a more informative log message as you described here solve this? or is there some other functionality that's required?

[developer-guy]

Yes just outputting a more informative log message would solve this issue ☝️

[ianlewis]

Yes just outputting a more informative log message would solve this issue ☝️

SG. Would be happy to look at a PR for this as well! :)