Fix idempotency error with signing

[haydentherapper]

The expected behavior is to fetch an existing entry from the log when signing generates the same signature and that entry is uploaded to the log, so that signing is idempotent.

The bug was that the prepended shard ID was compared to the log ID. The log ID is a sha256 hash of the log's public key, which is not the same as the shard ID. Now we compare the prepended shard IDs from both the request and response entry UUID when present.

This was not caught in tests since we used a valid shard ID as input rather than the log ID.

Verified by generating an RSA key (which will generate the same signature given the same input) and signing a container.

Fixes #3356

Summary

Release Note

Documentation

[codecov]

Codecov Report

Attention: 22 lines in your changes are missing coverage. Please review.

Comparison is base (f2300e0) 30.26% compared to head (e7dd433) 30.23%.
Report is 1 commits behind head on main.

Files	Patch %	Lines
cmd/cosign/cli/verify.go	0.00%	16 Missing ⚠️
cmd/cosign/cli/options/verify.go	0.00%	3 Missing ⚠️
pkg/cosign/tlog.go	78.57%	3 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #3371      +/-   ##
==========================================
- Coverage   30.26%   30.23%   -0.04%     
==========================================
  Files         155      155              
  Lines        9941     9958      +17     
==========================================
+ Hits         3009     3011       +2     
- Misses       6482     6497      +15     
  Partials      450      450              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.