diff --git a/cmd/cosign/cli/fulcio/depcheck_test.go b/cmd/cosign/cli/fulcio/depcheck_test.go
index 058a6fa8e94..b8eb8eff4cc 100644
--- a/cmd/cosign/cli/fulcio/depcheck_test.go
+++ b/cmd/cosign/cli/fulcio/depcheck_test.go
@@ -26,7 +26,7 @@ func TestNoDeps(t *testing.T) {
 		"github.com/sigstore/cosign/cmd/cosign/cli/fulcio": {
 			// Avoid pulling in a variety of things that are massive dependencies.
 			// "github.com/google/certificate-transparency-go",
-			// "github.com/google/trillian",
+			"github.com/google/trillian",
 			"github.com/envoyproxy/go-control-plane",
 			"github.com/gogo/protobuf/protoc-gen-gogo",
 			"github.com/grpc-ecosystem/go-grpc-middleware",
diff --git a/cmd/cosign/cli/fulcio/fulcioverifier/ctfe/structures.go b/cmd/cosign/cli/fulcio/fulcioverifier/ctfe/structures.go
new file mode 100644
index 00000000000..b72ad955b98
--- /dev/null
+++ b/cmd/cosign/cli/fulcio/fulcioverifier/ctfe/structures.go
@@ -0,0 +1,37 @@
+// Copyright 2016 Google LLC. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package ctfe
+
+// Code to handle encoding / decoding various data structures used in RFC 6962. Does not
+// contain the low level serialization.
+
+import (
+	"crypto"
+	"crypto/sha256"
+
+	"github.com/google/certificate-transparency-go/x509"
+)
+
+const millisPerNano int64 = 1000 * 1000
+
+// GetCTLogID takes the key manager for a log and returns the LogID. (see RFC 6962 S3.2)
+// In CT V1 the log id is a hash of the public key.
+func GetCTLogID(pk crypto.PublicKey) ([sha256.Size]byte, error) {
+	pubBytes, err := x509.MarshalPKIXPublicKey(pk)
+	if err != nil {
+		return [sha256.Size]byte{}, err
+	}
+	return sha256.Sum256(pubBytes), nil
+}
diff --git a/cmd/cosign/cli/fulcio/fulcioverifier/ctl/verify.go b/cmd/cosign/cli/fulcio/fulcioverifier/ctl/verify.go
index 2fdcd7d71da..c2ae7487cdf 100644
--- a/cmd/cosign/cli/fulcio/fulcioverifier/ctl/verify.go
+++ b/cmd/cosign/cli/fulcio/fulcioverifier/ctl/verify.go
@@ -26,11 +26,11 @@ import (
 	"os"
 
 	ct "github.com/google/certificate-transparency-go"
-	"github.com/google/certificate-transparency-go/ctutil"
-	"github.com/google/certificate-transparency-go/trillian/ctfe"
 	ctx509 "github.com/google/certificate-transparency-go/x509"
 	"github.com/google/certificate-transparency-go/x509util"
 	"github.com/pkg/errors"
+	"github.com/sigstore/cosign/cmd/cosign/cli/fulcio/fulcioverifier/ctfe"
+	"github.com/sigstore/cosign/cmd/cosign/cli/fulcio/fulcioverifier/ctutil"
 
 	"github.com/sigstore/cosign/pkg/cosign/tuf"
 	"github.com/sigstore/sigstore/pkg/cryptoutils"
diff --git a/cmd/cosign/cli/fulcio/fulcioverifier/ctutil/ctutil.go b/cmd/cosign/cli/fulcio/fulcioverifier/ctutil/ctutil.go
new file mode 100644
index 00000000000..6c768083341
--- /dev/null
+++ b/cmd/cosign/cli/fulcio/fulcioverifier/ctutil/ctutil.go
@@ -0,0 +1,211 @@
+// Copyright 2018 Google LLC. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Package ctutil contains utilities for Certificate Transparency.
+package ctutil
+
+import (
+	"bytes"
+	"crypto"
+	"crypto/sha256"
+	"encoding/base64"
+	"errors"
+	"fmt"
+
+	ct "github.com/google/certificate-transparency-go"
+	"github.com/google/certificate-transparency-go/tls"
+	"github.com/google/certificate-transparency-go/x509"
+)
+
+var emptyHash = [sha256.Size]byte{}
+
+// LeafHashB64 does as LeafHash does, but returns the leaf hash base64-encoded.
+// The base64-encoded leaf hash returned by B64LeafHash can be used with the
+// get-proof-by-hash API endpoint of Certificate Transparency Logs.
+func LeafHashB64(chain []*x509.Certificate, sct *ct.SignedCertificateTimestamp, embedded bool) (string, error) {
+	hash, err := LeafHash(chain, sct, embedded)
+	if err != nil {
+		return "", err
+	}
+	return base64.StdEncoding.EncodeToString(hash[:]), nil
+}
+
+// LeafHash calculates the leaf hash of the certificate or precertificate at
+// chain[0] that sct was issued for.
+//
+// sct is required because the SCT timestamp is used to calculate the leaf hash.
+// Leaf hashes are unique to (pre)certificate-SCT pairs.
+//
+// This function can be used with three different types of leaf certificate:
+//   - X.509 Certificate:
+//       If using this function to calculate the leaf hash for a normal X.509
+//       certificate then it is enough to just provide the end entity
+//       certificate in chain. This case assumes that the SCT being provided is
+//       not embedded within the leaf certificate provided, i.e. the certificate
+//       is what was submitted to the Certificate Transparency Log in order to
+//       obtain the SCT.  For this case, set embedded to false.
+//   - Precertificate:
+//       If using this function to calculate the leaf hash for a precertificate
+//       then the issuing certificate must also be provided in chain.  The
+//       precertificate should be at chain[0], and its issuer at chain[1].  For
+//       this case, set embedded to false.
+//   - X.509 Certificate containing the SCT embedded within it:
+//       If using this function to calculate the leaf hash for a certificate
+//       where the SCT provided is embedded within the certificate you
+//       are providing at chain[0], set embedded to true.  LeafHash will
+//       calculate the leaf hash by building the corresponding precertificate.
+//       LeafHash will return an error if the provided SCT cannot be found
+//       embedded within chain[0].  As with the precertificate case, the issuing
+//       certificate must also be provided in chain.  The certificate containing
+//       the embedded SCT should be at chain[0], and its issuer at chain[1].
+//
+// Note: LeafHash doesn't check that the provided SCT verifies for the given
+// chain.  It simply calculates what the leaf hash would be for the given
+// (pre)certificate-SCT pair.
+func LeafHash(chain []*x509.Certificate, sct *ct.SignedCertificateTimestamp, embedded bool) ([sha256.Size]byte, error) {
+	leaf, err := createLeaf(chain, sct, embedded)
+	if err != nil {
+		return emptyHash, err
+	}
+	return ct.LeafHashForLeaf(leaf)
+}
+
+// VerifySCT takes the public key of a Certificate Transparency Log, a
+// certificate chain, and an SCT and verifies whether the SCT is a valid SCT for
+// the certificate at chain[0], signed by the Log that the public key belongs
+// to.  If the SCT does not verify, an error will be returned.
+//
+// This function can be used with three different types of leaf certificate:
+//   - X.509 Certificate:
+//       If using this function to verify an SCT for a normal X.509 certificate
+//       then it is enough to just provide the end entity certificate in chain.
+//       This case assumes that the SCT being provided is not embedded within
+//       the leaf certificate provided, i.e. the certificate is what was
+//       submitted to the Certificate Transparency Log in order to obtain the
+//       SCT.  For this case, set embedded to false.
+//   - Precertificate:
+//       If using this function to verify an SCT for a precertificate then the
+//       issuing certificate must also be provided in chain.  The precertificate
+//       should be at chain[0], and its issuer at chain[1].  For this case, set
+//       embedded to false.
+//   - X.509 Certificate containing the SCT embedded within it:
+//       If the SCT you wish to verify is embedded within the certificate you
+//       are providing at chain[0], set embedded to true.  VerifySCT will
+//       verify the provided SCT by building the corresponding precertificate.
+//       VerifySCT will return an error if the provided SCT cannot be found
+//       embedded within chain[0].  As with the precertificate case, the issuing
+//       certificate must also be provided in chain.  The certificate containing
+//       the embedded SCT should be at chain[0], and its issuer at chain[1].
+func VerifySCT(pubKey crypto.PublicKey, chain []*x509.Certificate, sct *ct.SignedCertificateTimestamp, embedded bool) error {
+	s, err := ct.NewSignatureVerifier(pubKey)
+	if err != nil {
+		return fmt.Errorf("error creating signature verifier: %s", err)
+	}
+
+	return VerifySCTWithVerifier(s, chain, sct, embedded)
+}
+
+// VerifySCTWithVerifier takes a ct.SignatureVerifier, a certificate chain, and
+// an SCT and verifies whether the SCT is a valid SCT for the certificate at
+// chain[0], signed by the Log whose public key was used to set up the
+// ct.SignatureVerifier.  If the SCT does not verify, an error will be returned.
+//
+// This function can be used with three different types of leaf certificate:
+//   - X.509 Certificate:
+//       If using this function to verify an SCT for a normal X.509 certificate
+//       then it is enough to just provide the end entity certificate in chain.
+//       This case assumes that the SCT being provided is not embedded within
+//       the leaf certificate provided, i.e. the certificate is what was
+//       submitted to the Certificate Transparency Log in order to obtain the
+//       SCT.  For this case, set embedded to false.
+//   - Precertificate:
+//       If using this function to verify an SCT for a precertificate then the
+//       issuing certificate must also be provided in chain.  The precertificate
+//       should be at chain[0], and its issuer at chain[1].  For this case, set
+//       embedded to false.
+//   - X.509 Certificate containing the SCT embedded within it:
+//       If the SCT you wish to verify is embedded within the certificate you
+//       are providing at chain[0], set embedded to true.  VerifySCT will
+//       verify the provided SCT by building the corresponding precertificate.
+//       VerifySCT will return an error if the provided SCT cannot be found
+//       embedded within chain[0].  As with the precertificate case, the issuing
+//       certificate must also be provided in chain.  The certificate containing
+//       the embedded SCT should be at chain[0], and its issuer at chain[1].
+func VerifySCTWithVerifier(sv *ct.SignatureVerifier, chain []*x509.Certificate, sct *ct.SignedCertificateTimestamp, embedded bool) error {
+	if sv == nil {
+		return errors.New("ct.SignatureVerifier is nil")
+	}
+
+	leaf, err := createLeaf(chain, sct, embedded)
+	if err != nil {
+		return err
+	}
+
+	return sv.VerifySCTSignature(*sct, ct.LogEntry{Leaf: *leaf})
+}
+
+func createLeaf(chain []*x509.Certificate, sct *ct.SignedCertificateTimestamp, embedded bool) (*ct.MerkleTreeLeaf, error) {
+	if len(chain) == 0 {
+		return nil, errors.New("chain is empty")
+	}
+	if sct == nil {
+		return nil, errors.New("sct is nil")
+	}
+
+	if embedded {
+		sctPresent, err := ContainsSCT(chain[0], sct)
+		if err != nil {
+			return nil, fmt.Errorf("error checking for SCT in leaf certificate: %s", err)
+		}
+		if !sctPresent {
+			return nil, errors.New("SCT provided is not embedded within leaf certificate")
+		}
+	}
+
+	certType := ct.X509LogEntryType
+	if chain[0].IsPrecertificate() || embedded {
+		certType = ct.PrecertLogEntryType
+	}
+
+	var leaf *ct.MerkleTreeLeaf
+	var err error
+	if embedded {
+		leaf, err = ct.MerkleTreeLeafForEmbeddedSCT(chain, sct.Timestamp)
+	} else {
+		leaf, err = ct.MerkleTreeLeafFromChain(chain, certType, sct.Timestamp)
+	}
+	if err != nil {
+		return nil, fmt.Errorf("error creating MerkleTreeLeaf: %s", err)
+	}
+	return leaf, nil
+}
+
+// ContainsSCT checks to see whether the given SCT is embedded within the given
+// certificate.
+func ContainsSCT(cert *x509.Certificate, sct *ct.SignedCertificateTimestamp) (bool, error) {
+	if cert == nil || sct == nil {
+		return false, nil
+	}
+
+	sctBytes, err := tls.Marshal(*sct)
+	if err != nil {
+		return false, fmt.Errorf("error tls.Marshalling SCT: %s", err)
+	}
+	for _, s := range cert.SCTList.SCTList {
+		if bytes.Equal(sctBytes, s.Val) {
+			return true, nil
+		}
+	}
+	return false, nil
+}
diff --git a/cmd/cosign/policy_webhook/depcheck_test.go b/cmd/cosign/policy_webhook/depcheck_test.go
index c990d4211b5..397a710baef 100644
--- a/cmd/cosign/policy_webhook/depcheck_test.go
+++ b/cmd/cosign/policy_webhook/depcheck_test.go
@@ -26,7 +26,7 @@ func TestNoDeps(t *testing.T) {
 		"github.com/sigstore/cosign/cmd/cosign/policy_webhook": {
 			// This conflicts with klog, we error on startup about
 			// `-log_dir` being defined multiple times.
-			// "github.com/golang/glog",
+			"github.com/golang/glog",
 		},
 	})
 }
diff --git a/cmd/cosign/webhook/depcheck_test.go b/cmd/cosign/webhook/depcheck_test.go
index d8f5d7403c6..30f64db6177 100644
--- a/cmd/cosign/webhook/depcheck_test.go
+++ b/cmd/cosign/webhook/depcheck_test.go
@@ -26,7 +26,7 @@ func TestNoDeps(t *testing.T) {
 		"github.com/sigstore/cosign/cmd/cosign/webhook": {
 			// This conflicts with klog, we error on startup about
 			// `-log_dir` being defined multiple times.
-			// "github.com/golang/glog",
+			"github.com/golang/glog",
 		},
 	})
 }