It's clear that next sigstore-python will be able to produce bundles that older releases cannot verify (due to lack of rekorv2 support) -- but I'd like to be sure of the differences especially if we're adding #1471 where the purpose sort of is to produce "old style" bundles
I'm especially thinking about the timestamp support:
- we have not been using timestamps much but the verification code is already there
- now the signing code does add a TSA timestamp
- there are some details in the verification code that seem fishy (like the way we require a at least one verified time but if TSA timestamps are defined then we also require one of those to be valid...)
It's clear that next sigstore-python will be able to produce bundles that older releases cannot verify (due to lack of rekorv2 support) -- but I'd like to be sure of the differences especially if we're adding #1471 where the purpose sort of is to produce "old style" bundles
I'm especially thinking about the timestamp support: