diff --git a/cmd/rekor-cli/app/upload.go b/cmd/rekor-cli/app/upload.go
index dd51a89e69c5e0d4e6940848f567b4db72d0c90e..bbededf4eead9439decf7a752f64eaeb5b429699 100644
--- a/cmd/rekor-cli/app/upload.go
+++ b/cmd/rekor-cli/app/upload.go
@@ -113,7 +113,7 @@ var uploadCmd = &cobra.Command{
 
 			entry, err = types.NewProposedEntry(context.Background(), typeStr, versionStr, *props)
 			if err != nil {
-				return nil, err
+				return nil, fmt.Errorf("error: %w", err)
 			}
 		}
 		params.SetProposedEntry(entry)
diff --git a/cmd/rekor-cli/app/verify.go b/cmd/rekor-cli/app/verify.go
index 099721a084e831e7a973c4e97ab18ea9bdb0c58c..76fbb9419e011c767dedcf4c228472fd8176dad4 100644
--- a/cmd/rekor-cli/app/verify.go
+++ b/cmd/rekor-cli/app/verify.go
@@ -117,7 +117,7 @@ var verifyCmd = &cobra.Command{
 
 			entry, err := types.NewProposedEntry(context.Background(), typeStr, versionStr, *props)
 			if err != nil {
-				return nil, err
+				return nil, fmt.Errorf("error: %w", err)
 			}
 
 			entries := []models.ProposedEntry{entry}
diff --git a/pkg/types/hashedrekord/v0.0.1/entry.go b/pkg/types/hashedrekord/v0.0.1/entry.go
index 70db16fc59c23a6ad02e1f37f1fa26df13ba00cd..234431e5dd1b4d2cbbf00470f7ae1cf17dc43bca 100644
--- a/pkg/types/hashedrekord/v0.0.1/entry.go
+++ b/pkg/types/hashedrekord/v0.0.1/entry.go
@@ -196,6 +196,10 @@ func (v V001Entry) CreateFromArtifactProperties(ctx context.Context, props types
 
 	var err error
 
+	if props.PKIFormat != string(pki.X509) {
+		return nil, errors.New("hashedrekord entries can only be created for artifacts signed with x509-based PKI")
+	}
+
 	re.HashedRekordObj.Signature = &models.HashedrekordV001SchemaSignature{}
 	sigBytes := props.SignatureBytes
 	if sigBytes == nil {
diff --git a/tests/e2e_test.go b/tests/e2e_test.go
index d6d4167faa3c3a11fb9b73ccf55fa5e99f395967..94f2a87d348a01d51606af77c8749eff0d0d741c 100644
--- a/tests/e2e_test.go
+++ b/tests/e2e_test.go
@@ -155,14 +155,14 @@ func TestUploadVerifyHashedRekord(t *testing.T) {
 	}
 
 	// Verify should fail initially
-	runCliErr(t, "verify", "--type=hashedrekord", "--artifact-hash", dataSHA, "--signature", sigPath, "--public-key", pubPath)
+	runCliErr(t, "verify", "--type=hashedrekord", "--pki-format=x509", "--artifact-hash", dataSHA, "--signature", sigPath, "--public-key", pubPath)
 
 	// It should upload successfully.
-	out := runCli(t, "upload", "--type=hashedrekord", "--artifact-hash", dataSHA, "--signature", sigPath, "--public-key", pubPath)
+	out := runCli(t, "upload", "--type=hashedrekord", "--pki-format=x509", "--artifact-hash", dataSHA, "--signature", sigPath, "--public-key", pubPath)
 	outputContains(t, out, "Created entry at")
 
 	// Now we should be able to verify it.
-	out = runCli(t, "verify", "--type=hashedrekord", "--artifact-hash", dataSHA, "--signature", sigPath, "--public-key", pubPath)
+	out = runCli(t, "verify", "--type=hashedrekord", "--pki-format=x509", "--artifact-hash", dataSHA, "--signature", sigPath, "--public-key", pubPath)
 	outputContains(t, out, "Inclusion Proof:")
 }