Hayden B
Hayden B
@woodruffw Do you know if we have any conformance tests around verifying certificates against current time?
Well, right after I wrote that, a conformance test failed, so I guess yes.
I think the issue is we're conflating two things in sigstore-go - verification of the certificate and that a signing event occurred when the certificate is valid. In Cosign, the...
The other question is what we want this fallback behavior to be. If we require current time to be used as a fallback, that would mean that you MUST provide...
Another question - how should conformance pass when given only a signature and certificate? I guess all clients are using NBF, because otherwise it wouldn’t be possible to verify a...
In chatting with some other clients and thinking more on this, there are a few cases to handle: * Verifying short-lived certificates as part of conformance tests * Verifying short-lived...
It sounds like we're all in agreement! So to confirm: 1. We will update the client spec to be explicit that at least one signed timestamp must be provided by...
Ready for a review finally! Thank you @steiza for updating the conformance tests!
https://github.com/sigstore/sigstore-go/pull/277 for the fix. Had to update some tests to use the SET timestamp.
Discussion from sigstore-go v1.0 meeting: Closing, as there is another solution noted in https://github.com/sigstore/sigstore-go/issues/249#issuecomment-2274205744 and there are not more use cases for this at the moment.