Hayden B

Additionally, we should either add unit tests for https://github.com/sigstore/sigstore-go/blob/main/pkg/tlog/entry.go or confirm that the unit/integration tests for https://github.com/sigstore/sigstore-go/blob/main/pkg/verify/tlog.go cover entry.go

cc @woodruffw since we've talked about related things many times

For the first, the SET and TSA timestamps are used to verify the code-signing/leaf certificate. That timestamp, `CurrentTime`, will be used when comparing `NotBefore` and `NotAfter` ([go source link](https://cs.opensource.google/go/go/+/refs/tags/go1.22.5:src/crypto/x509/verify.go;l=570-586)). The...

@cmurphy Updated the links in the first comment, lemme know if that helps.

Before starting, I'd like the other maintainers to take a look as well. cc @steiza @codysoyland in case you have thoughts

Can you use the [envelope hash](https://github.com/sigstore/rekor/blob/main/pkg/types/dsse/v0.0.1/dsse_v0_0_1_schema.json#L60) from the Rekor entry?

Tagging other maintainers @codysoyland @steiza @phillmv @kommendorkapten for visibility.

A lot of good discussion! @kommendorkapten I agree with you on having a versioned set of algorithms we support, which is effectively what we already have with the [protobuf-specs](https://github.com/sigstore/protobuf-specs/blob/a18edc22750380beb1f4fba501caebcc07070722/protos/sigstore_common.proto#L62). For...

I'd prefer we still support RSA as we have seen some ecosystems (NuGet) explicitly request support for RSA. Could we instead drop either PKCS#1v1.5 or [PSS](https://github.com/sigstore/protobuf-specs/blob/3e6d8c8ec8a009b307b4612ac9314da5a13907e6/protos/sigstore_common.proto#L74-L76) rather than try to...

Now implemented.