Verify returned entry matches client inputs in rekor-cli verify

[bobcallaway]

When rekor-cli verify searches by artifact, the client now locally canonicalizes the proposed entry and confirms the server's response matches before reporting success.

For all lookup paths (uuid, log-index, artifact), the client now verifies the entry body's leaf hash matches the UUID in the response.

Previously the only binding between the user's local inputs and the verified entry was the server's honesty in answering the search query. The inclusion proof, checkpoint, and SET were all verified, but only against the server-returned body — never against the locally-derived expected entry. This adds client-side verification that closes that gap.

[codecov]

Codecov Report

❌ Patch coverage is 72.09302% with 12 lines in your changes missing coverage. Please review.
✅ Project coverage is 26.26%. Comparing base (488eb97) to head (50dbbe6).
⚠️ Report is 673 commits behind head on main.

Files with missing lines	Patch %	Lines
cmd/rekor-cli/app/verify.go	72.09%	6 Missing and 6 partials ⚠️

Additional details and impacted files

@@             Coverage Diff             @@
##             main    #2799       +/-   ##
===========================================
- Coverage   66.46%   26.26%   -40.20%     
===========================================
  Files          92      191       +99     
  Lines        9258    20163    +10905     
===========================================
- Hits         6153     5296      -857     
- Misses       2359    14033    +11674     
- Partials      746      834       +88     

Flag	Coverage Δ
e2etests	49.68% <46.51%> (+2.12%)	⬆️
unittests	16.81% <62.79%> (-30.87%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[Hayden-IO]

This issue really makes me think we should be deprecating this client, or at the very least anything with verification. It’s not integrated into the conformance test suite (nor should it be because it shouldn’t be yet another Go client).

[bobcallaway]

This issue really makes me think we should be deprecating this client, or at the very least anything with verification. It’s not integrated into the conformance test suite (nor should it be because it shouldn’t be yet another Go client).

Let's go ahead and fix it and discuss deprecation separately. I know this is packaged and shipped in some distributions.

[Hayden-IO]

I think this is a net-positive, but it's still incomplete because for two of the three cases, providing an index or leaf hash, you aren't verifying the leaf hash against the original entry. It's a fine improvement and I'm good with merging, but it's not sufficient for verification. We should clearly define the trust model for using this tool.

[Hayden-IO]

What's the purpose of this check? o.EntryUUID and entry both come from the server.

[Hayden-IO]

Should this instead compare uuid to the entry's hash when uuid is provided?

[bobcallaway]

the check is to ensure the response from the server is coherent (body matches leaf hash)

the check on line 171 does what you asked (compares client provided uuid to the entry in the response's hash

[Hayden-IO]

The underlying issue is the server shouldn’t return a leaf hash because a client should calculate it itself, but we aren’t gonna the API, this is fine

[Hayden-IO]

The underlying issue is the server shouldn’t return a leaf hash because a client should calculate it itself, but we aren’t gonna the API, this is fine