fix: make rekor verify work with sharded uuids (#970)

Signed-off-by: Asra Ali <asraa@google.com>

Signed-off-by: Asra Ali <asraa@google.com>

cmd/rekor-cli/app/verify.go

@@ -34,6 +34,7 @@ import (
 	"github.com/sigstore/rekor/pkg/generated/client/entries"
 	"github.com/sigstore/rekor/pkg/generated/models"
 	"github.com/sigstore/rekor/pkg/log"
+	"github.com/sigstore/rekor/pkg/sharding"
 	"github.com/sigstore/rekor/pkg/types"
 )
 
@@ -153,10 +154,17 @@ var verifyCmd = &cobra.Command{
 			}
 		}
 
-		if viper.IsSet("uuid") && (viper.GetString("uuid") != o.EntryUUID) {
-			return nil, fmt.Errorf("unexpected entry returned from rekor server")
+		if viper.IsSet("uuid") {
+			uuid, err := sharding.GetUUIDFromIDString(viper.GetString("uuid"))
+			if err != nil {
+				return nil, err
+			}
+			if uuid != o.EntryUUID {
+				return nil, fmt.Errorf("unexpected entry returned from rekor server")
+			}
 		}
 
+		// Note: the returned entry UUID is the UUID (not include the Tree ID)
 		leafHash, _ := hex.DecodeString(o.EntryUUID)
 		if !bytes.Equal(rfc6962.DefaultHasher.HashLeaf(entryBytes), leafHash) {
 			return nil, fmt.Errorf("computed leaf hash did not match entry UUID")

tests/sharding-e2e-test.sh

@@ -269,4 +269,14 @@ stringsMatch $NUM_ELEMENTS "2"
 RETRIEVE_LOGINDEX1=$(curl -f http://localhost:3000/api/v1/log/entries/retrieve -H "Content-Type: application/json" -H "Accept: application/json" -d "{ \"logIndexes\": [1]}" | jq '.[0]' | jq  -r .$UUID1.logIndex)
 stringsMatch $RETRIEVE_LOGINDEX1 "1"
 
+# Make sure that verification succeeds via UUID
+echo
+echo "Testing rekor-cli verification via UUID..."
+$REKOR_CLI verify --uuid $UUID1 --rekor_server http://localhost:3000
+
+# Make sure that verification succeeds via Entry ID (Tree ID in hex + UUID)
+echo
+echo "Testing rekor-cli verification via Entry ID..."
+DEBUG=1 $REKOR_CLI verify --uuid $ENTRY_ID_1 --rekor_server http://localhost:3000
+
 echo "Test passed successfully :)"