Replace --rekor-url with --ignore-tlog

Similar to `--ignore-sct`

Signed-off-by: Zach Steindler <steiza@github.com>

cmd/cosign/cli/options/trustedroot.go

@@ -24,8 +24,8 @@ type TrustedRootCreateOptions struct {
 	CARoots          string
 	CertChain        string
 	IgnoreSCT        bool
+	IgnoreTlog       bool
 	Out              string
-	RekorURL         string
 	TSACertChainPath string
 }
 
@@ -58,12 +58,13 @@ func (o *TrustedRootCreateOptions) AddFlags(cmd *cobra.Command) {
 		"when set, do not include key for verifying certificate transparency "+
 			"log. Set this if you signed with a key instead of using Fulcio.")
 
+	cmd.Flags().BoolVar(&o.IgnoreTlog, "ignore-tlog", false,
+		"when set, do not include key for verifying transparency. Set this if "+
+			"you did not sign with Rekor.")
+
 	cmd.Flags().StringVar(&o.Out, "out", "",
 		"path to output trusted root")
 
-	cmd.Flags().StringVar(&o.RekorURL, "rekor-url", "",
-		"address of rekor STL server")
-
 	cmd.Flags().StringVar(&o.TSACertChainPath, "timestamp-certificate-chain", "",
 		"path to PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must contain the root CA certificate. "+
 			"Optionally may contain intermediate CA certificates")

cmd/cosign/cli/trustedroot.go

@@ -49,8 +49,8 @@ func trustedRootCreate() *cobra.Command {
 				CARoots:          o.CARoots,
 				CertChain:        o.CertChain,
 				IgnoreSCT:        o.IgnoreSCT,
+				IgnoreTlog:       o.IgnoreTlog,
 				Out:              o.Out,
-				RekorURL:         o.RekorURL,
 				TSACertChainPath: o.TSACertChainPath,
 			}
 

cmd/cosign/cli/trustedroot/trustedroot.go

@@ -18,18 +18,14 @@ package trustedroot
 import (
 	"context"
 	"crypto"
-	"crypto/sha256"
 	"crypto/x509"
-	"encoding/base64"
 	"encoding/hex"
 	"encoding/pem"
-	"errors"
 	"fmt"
 	"os"
 
 	"github.com/sigstore/sigstore-go/pkg/root"
 
-	"github.com/sigstore/cosign/v2/cmd/cosign/cli/rekor"
 	"github.com/sigstore/cosign/v2/pkg/cosign"
 )
 
@@ -38,8 +34,8 @@ type CreateCmd struct {
 	CARoots          string
 	CertChain        string
 	IgnoreSCT        bool
+	IgnoreTlog       bool
 	Out              string
-	RekorURL         string
 	TSACertChainPath string
 }
 
@@ -96,47 +92,32 @@ func (c *CreateCmd) Exec(ctx context.Context) error {
 				return err
 			}
 			ctLogs[id] = &root.TransparencyLog{
-				ID:                idBytes,
 				HashFunc:          crypto.SHA256,
+				ID:                idBytes,
 				PublicKey:         key.PubKey,
 				SignatureHashFunc: crypto.SHA256,
 			}
 		}
 	}
 
-	if c.RekorURL != "" {
-		rekorClient, err := rekor.NewClient(c.RekorURL)
-		if err != nil {
-			return fmt.Errorf("creating Rekor client: %w", err)
-		}
-
-		rekorPubKey, err := rekorClient.Pubkey.GetPublicKey(nil)
-		if err != nil {
-			return err
-		}
-
-		block, _ := pem.Decode([]byte(rekorPubKey.Payload))
-		if block == nil {
-			return errors.New("failed to decode public key of server")
-		}
-
-		pub, err := x509.ParsePKIXPublicKey(block.Bytes)
+	if !c.IgnoreTlog {
+		tlogPubKeys, err := cosign.GetRekorPubs(ctx)
 		if err != nil {
 			return err
 		}
 
-		keyHash := sha256.Sum256(block.Bytes)
-		keyID := base64.StdEncoding.EncodeToString(keyHash[:])
-
-		rekorTransparencyLog := root.TransparencyLog{
-			BaseURL:           c.RekorURL,
-			HashFunc:          crypto.SHA256,
-			ID:                keyHash[:],
-			PublicKey:         pub,
-			SignatureHashFunc: crypto.SHA256,
+		for id, key := range tlogPubKeys.Keys {
+			idBytes, err := hex.DecodeString(id)
+			if err != nil {
+				return err
+			}
+			rekorTransparencyLogs[id] = &root.TransparencyLog{
+				HashFunc:          crypto.SHA256,
+				ID:                idBytes,
+				PublicKey:         key.PubKey,
+				SignatureHashFunc: crypto.SHA256,
+			}
 		}
-
-		rekorTransparencyLogs[keyID] = &rekorTransparencyLog
 	}
 
 	if c.TSACertChainPath != "" {