Skip to content

Support timestamps in attestations #143

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 6 commits into
base: main
Choose a base branch
from
Draft

Support timestamps in attestations #143

wants to merge 6 commits into from
+97 −13

Conversation

jku
Copy link
Contributor

@jku jku commented Oct 10, 2025
edited
Loading

This PR adds support for RFC3161 timestamps in the attestations. It is a draft because:

Supporting timestamps in the annotations is a requirement to using transparency log entries from rekor v2 (see #142 for details and links).

Fixes #142

CC @di

@jku jku mentioned this pull request Oct 11, 2025
Merged
@jku jku force-pushed the rekor-v2 branch 2 times, most recently from d31fcd9 to c272629 Compare October 13, 2025 08:29
jku added 3 commits October 14, 2025 14:39
@jku
Support timestamps in the attestation
285ca4a
@jku
Add tests for attestations with timestamps
5bbfbbc 
* One attestation is from staging (rekor2 entry and timestamp)
* Other attestation is from production (rekor1 entry and timestamp)
@jku
inspect: Add Timestamps to output
4917d80
jku
jku commented Oct 14, 2025
View reviewed changes
@jku
Copy link
Contributor Author

jku commented Oct 15, 2025
edited
Loading

The offline test likely breaks because I created new test assets. staging trust root has changed fairly recently, and sigstore-python does not contain the most up-to-date one. Test passed for me locally since my cached trust root is up-to-date.

I think the test should have a preparation step that makes sure the trust root has been updated, and then should run the verify in offline mode.

@jku
tests: update trustroot before offline test
8551339 
Current test assets require a trust root which is newer
than the one embedded in sigstore-python: Update the trust roots
before running offline tests.

Move the whole offline-test setup into Makefile to make it a little
easier to manage.
@jku jku mentioned this pull request Oct 16, 2025
Open
jku
jku commented Oct 16, 2025
View reviewed changes
src/pypi_attestations/_impl.py
timestamps = []
if sigstore_bundle.verification_material.timestamp_verification_data:
ts_data = sigstore_bundle.verification_material.timestamp_verification_data
timestamps = [base64.b64encode(ts.as_bytes()) for ts in ts_data.rfc3161_timestamps]
Copy link
Contributor Author

@jku jku Oct 16, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I suppose this is the main decision in this PR: A timestamp in the attestations serialization format is the base64 encoded timestamp response as defined in RFC3161.

For reference the timestamp use is defined in [sigstore client spec](the https://github.com/sigstore/architecture-docs/blob/main/client-spec.md), but it's basically the same as the use of integrated time in rekor1: timestamped data is the signature bytes, timestamp time must be within lifetime of the signing certificate (and its chain) to prove the time of signing.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Ensure pypi attestations can handle timestamps (and as result rekorv2 log entries)

1 participant

@jku