slsa-verifier icon indicating copy to clipboard operation
slsa-verifier copied to clipboard

Published 20 hours ago verified publisher icon slsa-framework

feat: npmjs sigstore tuf: use ValidFor.Start and ValidFor.End

Open ramonpetgrave64 opened this issue 10 months ago • 0 comments

The work in https://github.com/slsa-framework/slsa-verifier/pull/731 retrieves the latest the signing key from the TUF root. There is metadata for a ValidFor.Start, and in the future there may be a ValidFor.End.

Consider ensuring that the current timestamp is between the start and end timestamps.

ramonpetgrave64 avatar Apr 16 '24 16:04 ramonpetgrave64