Validate and return hash and size from signed root

The loginfo API returns both the current size, root hash, as well as the
signed tree head that callers can verify if they wish. The CLI does a
check to verify the signature on the tree head returned, but was
reporting the unsigned size and hash. This change ensures that the
values match and prints the values from the signed tree head.

Fixes #200

Signed-off-by: Bob Callaway <bcallawa@redhat.com>

cmd/cli/app/log_info.go

@@ -24,6 +24,7 @@ import (
 	"encoding/pem"
 	"errors"
 	"fmt"
+	"strings"
 
 	"github.com/sigstore/rekor/cmd/cli/app/state"
 
@@ -68,10 +69,6 @@ var logInfoCmd = &cobra.Command{
 		}
 
 		logInfo := result.GetPayload()
-		cmdOutput := &logInfoCmdOutput{
-			TreeSize: *logInfo.TreeSize,
-			RootHash: *logInfo.RootHash,
-		}
 
 		keyHint, err := base64.StdEncoding.DecodeString(logInfo.SignedTreeHead.KeyHint.String())
 		if err != nil {
@@ -117,6 +114,19 @@ var logInfoCmd = &cobra.Command{
 			return nil, err
 		}
 
+		if lr.TreeSize != uint64(*logInfo.TreeSize) {
+			return nil, errors.New("tree size in signed tree head does not match value returned in API call")
+		}
+
+		if strings.ToLower(hex.EncodeToString(lr.RootHash)) != strings.ToLower(*logInfo.RootHash) {
+			return nil, errors.New("root hash in signed tree head does not match value returned in API call")
+		}
+
+		cmdOutput := &logInfoCmdOutput{
+			TreeSize: int64(lr.TreeSize),
+			RootHash: hex.EncodeToString(lr.RootHash),
+		}
+
 		oldState := state.Load(serverURL)
 		if oldState != nil {
 			persistedSize := oldState.TreeSize