fix: fix blob verification output with sharded rekor tlogs

[asraa]

Signed-off-by: Asra Ali [email protected]

Summary

See sigstore/sigstore-python#184 (comment)

When verifying blobs that were placed on sharded rekor instances (staging), the blob verification outputs the local log-index.

For e.g.

$ SIGSTORE_REKOR_PUBLIC_KEY=rekor.staging.pub COSIGN_EXPERIMENTAL=1 ./cosign verify-blob --signature python.sig --cert python-cert.pem --rekor-url https://rekor.sigstage.dev python-readme.md 
used alt pubkey
tlog entry verified with uuid: 3b5007afc2bb375d4078ad93e72537c9c3e8e1a21556d716cac7ee06b544950c index: 71
Verified OK

This corresponds to log index 532.

$ ./rekor get --uuid 3b5007afc2bb375d4078ad93e72537c9c3e8e1a21556d716cac7ee06b544950c --rekor_server https://rekor.sigstage.dev --format json | jq -r '.LogIndex'
532

This is because InclusionProof returns the "local" log index.

Release Note

Documentation

[codecov-commenter]

Codecov Report

Merging #2157 (29f290b) into main (7d80bc0) will not change coverage.
The diff coverage is 0.00%.

@@           Coverage Diff           @@
##             main    #2157   +/-   ##
=======================================
  Coverage   26.23%   26.23%           
=======================================
  Files         130      130           
  Lines        7617     7617           
=======================================
  Hits         1998     1998           
  Misses       5362     5362           
  Partials      257      257           

Impacted Files	Coverage Δ
cmd/cosign/cli/verify/verify_blob.go	9.72% <0.00%> (ø)

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.