8000 Verifying Signature time when no inclusion promise or integrated time · Issue #1380 · sigstore/sigstore-python · GitHub
[go: up one dir, main page]
Skip to content

Verifying Signature time when no inclusion promise or integrated time #1380

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
ramonpetgrave64 opened this issue May 9, 2025 · 0 comments · Fixed by #1381
Closed

Verifying Signature time when no inclusion promise or integrated time #1380

ramonpetgrave64 opened this issue May 9, 2025 · 0 comments · Fixed by #1381
Labels
bug Something isn't working

Comments

@ramonpetgrave64
Copy link
Contributor
ramonpetgrave64 commented May 9, 2025
edited
Loading

Client support for Rekor V2: sigstore-python

Description

Version

According to spec, the integrated_time is not to be trusted ( and perhaps not required) if an rfc3161 timestamp is present. But sigstore-python assumes the integrated_time will always be present.

furthermore, in rekor V2 the inclusion_promise will not be present (only inclusion_proof), and the integrated_time may not be included.

Still, either one of an inclusion_promise or rfc3161 timestamp is required to be present. We must patch to confirm that any or all of those timestamps are within the validity period of the signing certificate.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Verify artifact signing time against all timestamps ramonpetgrave64/sigstore-python
1 participant
@ramonpetgrave64
0