Return multiple rekor entries if looked up during verify-blob

[dlorenc]

Description

In verify-blob with the transparency log enabled, we'll attempt to look up an entry in the log using the search API. This will return the latest signature/cert found for a blob, which may not be the one the user actually is looking for. We should consider improving this UX if multiple entries are found. The relevant codepath is here:

cosign/pkg/cosign/tlog.go

Line 183 in 78fb2dc

func FindTlogEntry(ctx context.Context, rekorClient *client.Rekor, b64Sig string, payload, pubKey []byte) (uuid string, index int64, err error) {

In general we'll also need to better explain the guarantees of the search API. The results returned from it are generally considered "best-effort" and are not guaranteed to be comprehensive. Every result in that API is valid - but the API does not necessarily return every result.

[znewman01]

This behavior was fixed in #1673 .

We could still explain better what's going on; I'll send a quick PR for that.

[znewman01]

Oh actually #1673 does add a message clarifying the guarantees. It does so only when relevant: that is, the search API didn't find a corresponding signature.

This can be closed.