Skip to content

Automatically require signed timestamp with Rekor v2 entries#4666

Merged
Hayden-IO merged 1 commit into
sigstore:mainfrom
Hayden-IO:set-signed-timestamp
Jan 28, 2026
Merged

Automatically require signed timestamp with Rekor v2 entries#4666
Hayden-IO merged 1 commit into
sigstore:mainfrom
Hayden-IO:set-signed-timestamp

Conversation

@Hayden-IO

Copy link
Copy Markdown
Contributor

Currently, when verifying a bundle with a short-lived certificate and a Rekor v2 entry, users must specify --use-signed-timestamps and provide a signed timestamp, because Rekor v2 entries do not contain integrated timestamps unlike Rekor v1. This isn't a great UX.

This change opportunistically sets --use-signed-timestamps when we detect that a user is verifying a short-lived certificate with a Rekor v2 entry. We won't automatically set this with a mixed Rekor v1 and Rekor v2 bundle (which the tooling will not produce, this would be for any custom clients) or when verifying with a managed key.

Fixes #4500

Summary

Release Note

Documentation

@Hayden-IO Hayden-IO requested review from cmurphy and steiza January 24, 2026 00:16
@Hayden-IO Hayden-IO requested a review from a team as a code owner January 24, 2026 00:16
@codecov

codecov Bot commented Jan 24, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 36.54%. Comparing base (2ef6022) to head (e3487cf).
⚠️ Report is 651 commits behind head on main.

Additional details and impacted files
@@            Coverage Diff             @@
##             main    #4666      +/-   ##
==========================================
- Coverage   40.10%   36.54%   -3.56%     
==========================================
  Files         155      220      +65     
  Lines       10044    12597    +2553     
==========================================
+ Hits         4028     4604     +576     
- Misses       5530     7289    +1759     
- Partials      486      704     +218     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@Hayden-IO

Copy link
Copy Markdown
Contributor Author

Without the change, we see an error because the client assumes that an integrated timestamp from Rekor v1 is needed:

cosign initialize --staging
touch /tmp/blob
cosign sign-blob -y /tmp/blob --bundle /tmp/bundle.json 
....
Using payload from: /tmp/blob
Wrote bundle to file /tmp/bundle.json

cosign verify-blob --bundle /tmp/bundle.json --certificate-identity-regexp='.*' --certificate-oidc-issuer='https://accounts.google.com' /tmp/blob

Error: failed to verify timestamps: threshold not met for verified log entry integrated timestamps: 0 < 1
error during command execution: failed to verify timestamps: threshold not met for verified log entry integrated timestamps: 0 < 1

With the change, where the bundle contains a signed timestamp:

cosign verify-blob --bundle /tmp/bundle.json --certificate-identity-regexp='.*' --certificate-oidc-issuer='https://accounts.google.com' /tmp/blob

Verified OK

Currently, when verifying a bundle with a short-lived certificate and a
Rekor v2 entry, users must specify --use-signed-timestamps and provide a
signed timestamp, because Rekor v2 entries do not contain integrated
timestamps unlike Rekor v1. This isn't a great UX.

This change opportunistically sets --use-signed-timestamps when we
detect that a user is verifying a short-lived certificate with a Rekor
v2 entry. We won't automatically set this with a mixed Rekor v1 and
Rekor v2 bundle (which the tooling will not produce, this would be for
any custom clients) or when verifying with a managed key.

Fixes sigstore#4500

Signed-off-by: Hayden <[email protected]>
@Hayden-IO Hayden-IO force-pushed the set-signed-timestamp branch from e055ff6 to e3487cf Compare January 24, 2026 00:21
@Hayden-IO Hayden-IO merged commit 71291be into sigstore:main Jan 28, 2026
28 checks passed
piceri pushed a commit to piceri/cosign that referenced this pull request Jan 29, 2026
…e#4666)

Currently, when verifying a bundle with a short-lived certificate and a
Rekor v2 entry, users must specify --use-signed-timestamps and provide a
signed timestamp, because Rekor v2 entries do not contain integrated
timestamps unlike Rekor v1. This isn't a great UX.

This change opportunistically sets --use-signed-timestamps when we
detect that a user is verifying a short-lived certificate with a Rekor
v2 entry. We won't automatically set this with a mixed Rekor v1 and
Rekor v2 bundle (which the tooling will not produce, this would be for
any custom clients) or when verifying with a managed key.

Fixes sigstore#4500

Signed-off-by: Hayden <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Improve the UX when verifying a Rekor v2 entry with a signed timestamp

2 participants