Automatically require signed timestamp with Rekor v2 entries#4666
Merged
Conversation
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #4666 +/- ##
==========================================
- Coverage 40.10% 36.54% -3.56%
==========================================
Files 155 220 +65
Lines 10044 12597 +2553
==========================================
+ Hits 4028 4604 +576
- Misses 5530 7289 +1759
- Partials 486 704 +218 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
Contributor
Author
|
Without the change, we see an error because the client assumes that an integrated timestamp from Rekor v1 is needed: With the change, where the bundle contains a signed timestamp: |
Currently, when verifying a bundle with a short-lived certificate and a Rekor v2 entry, users must specify --use-signed-timestamps and provide a signed timestamp, because Rekor v2 entries do not contain integrated timestamps unlike Rekor v1. This isn't a great UX. This change opportunistically sets --use-signed-timestamps when we detect that a user is verifying a short-lived certificate with a Rekor v2 entry. We won't automatically set this with a mixed Rekor v1 and Rekor v2 bundle (which the tooling will not produce, this would be for any custom clients) or when verifying with a managed key. Fixes sigstore#4500 Signed-off-by: Hayden <[email protected]>
e055ff6 to
e3487cf
Compare
cmurphy
approved these changes
Jan 27, 2026
piceri
pushed a commit
to piceri/cosign
that referenced
this pull request
Jan 29, 2026
…e#4666) Currently, when verifying a bundle with a short-lived certificate and a Rekor v2 entry, users must specify --use-signed-timestamps and provide a signed timestamp, because Rekor v2 entries do not contain integrated timestamps unlike Rekor v1. This isn't a great UX. This change opportunistically sets --use-signed-timestamps when we detect that a user is verifying a short-lived certificate with a Rekor v2 entry. We won't automatically set this with a mixed Rekor v1 and Rekor v2 bundle (which the tooling will not produce, this would be for any custom clients) or when verifying with a managed key. Fixes sigstore#4500 Signed-off-by: Hayden <[email protected]>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Currently, when verifying a bundle with a short-lived certificate and a Rekor v2 entry, users must specify --use-signed-timestamps and provide a signed timestamp, because Rekor v2 entries do not contain integrated timestamps unlike Rekor v1. This isn't a great UX.
This change opportunistically sets --use-signed-timestamps when we detect that a user is verifying a short-lived certificate with a Rekor v2 entry. We won't automatically set this with a mixed Rekor v1 and Rekor v2 bundle (which the tooling will not produce, this would be for any custom clients) or when verifying with a managed key.
Fixes #4500
Summary
Release Note
Documentation