Index hosted attestations: Add optional timestamps #1936
Conversation
Sigstore public good instance is transitioning to Rekor v2 transparency log: This log no longer includes integrated time in the log entries and external timestamps are then needed.
There was a problem hiding this comment.
Pull Request Overview
This PR adds optional RFC3161 timestamp support to the attestation format, enabling compatibility with Sigstore's Rekor v2 transparency log which no longer includes integrated timestamps in log entries.
Key Changes
- Added optional
timestampsfield to verification material for storing external RFC3161 timestamps - Updated verification requirements to clarify that inclusion time can come from either integrated timestamps or external RFC3161 timestamps
Comments suppressed due to low confidence (1)
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
| are optional if `transparency_entries` only contains entries with an | ||
| integrated_time. | ||
| """ | ||
There was a problem hiding this comment.
The documentation should clarify what happens when both integrated_time and external timestamps are present. Should verifiers prioritize one over the other, or validate both?
| # Clarification for verifiers: | |
| # When both `integrated_time` (from transparency log entries) and external timestamps (such as RFC3161) are present, | |
| # verifiers SHOULD validate both sources of time. The `integrated_time` provides a log-based timestamp, while external | |
| # timestamps offer additional assurance from independent authorities. If both are present, verifiers MUST ensure that | |
| # all timestamps are valid and consistent with the attestation's signature and certificate. If there is a conflict | |
| # (e.g., timestamps differ significantly), verifiers SHOULD reject the attestation or follow policy-specific guidance. | |
| # Implementers MAY prioritize `integrated_time` for log-based transparency, but MUST NOT ignore valid external timestamps. |
| and certificate. | ||
| """ | ||
| timestamps: list[bytes] | None |
There was a problem hiding this comment.
Thinking out loud: can we make this list[bytes] only, with an empty list signaling the equivalent of the None state? I think it's nice to have as few "null" states as possible 🙂
(This is the PEP 740 format, so we're not constrained like the Sigstore bundle is in terms of valid-but-representable states.)
2 participants
Sigstore public good instance is transitioning to Rekor v2 transparency log: v2 no longer includes integrated time in the log entries so external timestamps are needed.
The companion PR to this is pypi/pypi-attestations#143. There is an overall tracking issue in pypi/pypi-attestations#147
This is definitely still draft: