Proposal: Deprecate rekor-cli

[haydentherapper]

Description

rekor-cli provides a command line utility to upload entries to Rekor, search for entries, and verify entries. To reduce the number of tools we maintain in Sigstore, I'd like to deprecate this utility and remove it in Rekor v2. For any functionality that we think should be supported in a CLI tool, I'd rather move it to Cosign as the central Sigstore utility.

For uploading entries to Rekor, a curl command should be sufficient, especially once the number of types is reduced (#2080).

For verifying entries, I'm not sure the use case when someone would like to verify a log entry without also verifying the artifact signature. I'd rather point users to Cosign, and again if the use case does arise, we can add the functionality to Cosign.

[haydentherapper]

@lkatalin I know RedHat recommends rekor-cli. Do you have a use case in mind where you need only log entry verification without signature verification, or could Cosign be sufficient?

[lkatalin]

Thanks for the ping @haydentherapper , I'll reach out to our relevant teams about the requirements here.

[lance]

@haydentherapper I think we are probably fine with removing this with the 2.0 rekor release. I'm investigating, but at the moment I don't have any great concern. It's one less thing for us to maintain too :)