print the rekor log index

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
slsa-framework · Aug 14, 2024 · 20e2376 · 20e2376
1 parent 2f63460
commit 20e2376
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 1 deletion.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -113,6 +113,9 @@ The workflows `generator_generic_slsa3.yml` and `builder_go_slsa3.yml`
 have been updated to produce signed Sigstore Bundles, just like all the other builders
 that use the BYOB framework.
 
+The workflow logs will now print a LogIndex, rather than a LogUUID. Both are equally searchanble on
+https://search.sigstore.dev/.
+
 ### Unreleased: Vars context recorded in provenance
 
 - **Updated**: GitHub `vars` context is now recorded in provenance for the generic and

diff --git a/signing/sigstore/bundle.go b/signing/sigstore/bundle.go
@@ -17,6 +17,7 @@ package sigstore
 import (
 	"context"
 	"encoding/json"
+	"fmt"
 
 	intoto "github.com/in-toto/in-toto-golang/in_toto"
 	sigstoreBundle "github.com/sigstore/sigstore-go/pkg/bundle"
@@ -89,6 +90,7 @@ func (s *BundleSigner) Sign(ctx context.Context, statement *intoto.Statement) (s
 
 	// signing opts.
 	bundleOpts, err := getBundleOpts(
+		ctx,
 		&s.fulcioAddr,
 		&s.rekorAddr,
 		&rawToken,
@@ -103,6 +105,15 @@ func (s *BundleSigner) Sign(ctx context.Context, statement *intoto.Statement) (s
 		return nil, err
 	}
 
+	// print the logIndex.
+	// Bundle will have already verified that the TLog entries are signed.
+	logIndex := innerBundle.GetVerificationMaterial().GetTlogEntries()[0].GetLogIndex()
+	fmt.Printf("Signed attestation is in rekor with UUID %d.\n", logIndex)
+	fmt.Printf("You could use rekor-cli to view the log entry details:\n\n"+
+		"  $ rekor-cli get --log-index %[1]d\n\n"+
+		"In addition to that, you could also use the Rekor Search UI:\n\n"+
+		"  https://search.sigstore.dev/?logIndex=%[1]d", logIndex)
+
 	// marshall to json.
 	bundleWrapper := &sigstoreBundle.ProtobufBundle{
 		Bundle: innerBundle,
@@ -120,11 +131,14 @@ func (s *BundleSigner) Sign(ctx context.Context, statement *intoto.Statement) (s
 
 // getBundleOpts provides the opts for sigstoreSign.Bundle().
 func getBundleOpts(
+	ctx context.Context,
 	fulcioAddr *string,
 	rekorAddr *string,
 	identityToken *string,
 ) (*sigstoreSign.BundleOptions, error) {
-	bundleOpts := &sigstoreSign.BundleOptions{}
+	bundleOpts := &sigstoreSign.BundleOptions{
+		Context: ctx,
+	}
 
 	fulcioOpts := &sigstoreSign.FulcioOptions{
 		BaseURL: *fulcioAddr,