diff --git a/pkg/provenance.go b/pkg/provenance.go
index f17cb4f..61eaba2 100644
--- a/pkg/provenance.go
+++ b/pkg/provenance.go
@@ -36,6 +36,7 @@ import (
 	"github.com/sigstore/rekor/pkg/generated/client/index"
 	"github.com/sigstore/rekor/pkg/generated/client/tlog"
 	"github.com/sigstore/rekor/pkg/generated/models"
+	"github.com/sigstore/rekor/pkg/sharding"
 	"github.com/sigstore/rekor/pkg/types"
 	intotod "github.com/sigstore/rekor/pkg/types/intoto/v0.0.1"
 	"github.com/sigstore/rekor/pkg/util"
@@ -254,9 +255,9 @@ func verifyRootHash(ctx context.Context, rekorClient *client.Rekor, proof *model
 	return nil
 }
 
-func verifyTlogEntryByUUID(ctx context.Context, rekorClient *client.Rekor, uuid string) (*models.LogEntryAnon, error) {
+func verifyTlogEntryByUUID(ctx context.Context, rekorClient *client.Rekor, entryUUID string) (*models.LogEntryAnon, error) {
 	params := entries.NewGetLogEntryByUUIDParamsWithContext(ctx)
-	params.EntryUUID = uuid
+	params.EntryUUID = entryUUID
 
 	lep, err := rekorClient.Entries.GetLogEntryByUUID(params)
 	if err != nil {
@@ -266,7 +267,20 @@ func verifyTlogEntryByUUID(ctx context.Context, rekorClient *client.Rekor, uuid
 	if len(lep.Payload) != 1 {
 		return nil, errors.New("UUID value can not be extracted")
 	}
-	e := lep.Payload[params.EntryUUID]
+
+	uuid, err := sharding.GetUUIDFromIDString(params.EntryUUID)
+	if err != nil {
+		return nil, err
+	}
+
+	var e models.LogEntryAnon
+	for k, entry := range lep.Payload {
+		if k != uuid {
+			return nil, errors.New("expected matching UUID")
+		}
+		e = entry
+	}
+
 	return verifyTlogEntry(ctx, rekorClient, params.EntryUUID, e)
 }