Client support for Rekor V2: sigstore-python
Description
Version
According to spec, the integrated_time is not to be trusted ( and perhaps not required) if an rfc3161 timestamp is present. But sigstore-python assumes the integrated_time will always be present.
furthermore, in rekor V2 the inclusion_promise will not be present (only inclusion_proof), and the integrated_time may not be included.
Still, either one of an inclusion_promise or rfc3161 timestamp is required to be present. We must patch to confirm that any or all of those timestamps are within the validity period of the signing certificate.
Client support for Rekor V2: sigstore-python
Description
Version
According to spec, the
integrated_timeis not to be trusted ( and perhaps not required) if an rfc3161 timestamp is present. But sigstore-python assumes theintegrated_timewill always be present.furthermore, in rekor V2 the
inclusion_promisewill not be present (onlyinclusion_proof), and theintegrated_timemay not be included.Still, either one of an
inclusion_promiseor rfc3161 timestamp is required to be present. We must patch to confirm that any or all of those timestamps are within the validity period of the signing certificate.