Skip to content

Index hosted attestations: Add optional timestamps #1936

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 3 commits into
base: main
Choose a base branch
from
Draft

Index hosted attestations: Add optional timestamps #1936

wants to merge 3 commits into from

Conversation

@jku
Copy link

@jku jku commented Oct 21, 2025
edited
Loading

Sigstore public good instance is transitioning to Rekor v2 transparency log: v2 no longer includes integrated time in the log entries so external timestamps are needed.

The companion PR to this is pypi/pypi-attestations#143. There is an overall tracking issue in pypi/pypi-attestations#147

This is definitely still draft:

  • I've not gone through the document to ensure there aren't other changes that are required
  • I'm not sure if the attestation format needs a version change for this or not

@jku
Index hosted attestations: Add optional timestamps
78fdf20 
Sigstore public good instance is transitioning to Rekor v2 transparency
log: This log no longer includes integrated time in the log entries and
external timestamps are then needed.
@webknjaz webknjaz requested review from Copilot and woodruffw October 21, 2025 11:15
Copilot AI reviewed Oct 21, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR adds optional RFC3161 timestamp support to the attestation format, enabling compatibility with Sigstore's Rekor v2 transparency log which no longer includes integrated timestamps in log entries.

Key Changes

  • Added optional timestamps field to verification material for storing external RFC3161 timestamps
  • Updated verification requirements to clarify that inclusion time can come from either integrated timestamps or external RFC3161 timestamps
Comments suppressed due to low confidence (1)

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

woodruffw
woodruffw reviewed Oct 24, 2025
View reviewed changes
jku added 2 commits October 29, 2025 15:41
@jku
index hosted attestations: Add detail about timestamps
518d607 
I'm trying to not include too much detail here as the doc already
states that entry verification depends on policy... but dsse 0.0.1
is the rekor v1 entry type used in the attestations so maybe this
works?
@jku
index hosted attestations: Make timestamps not optional
c5409dd
@jku
Copy link
Author

jku commented Oct 29, 2025

I'd like to get some advice on how to handle the fact that I'm adding a new field to the attestation:

  • Are the only potential incompatibilities within pypi-attestations project or should I look elsewhere too?
  • The attestation has a version (1), should that be bumped? the pypi-attestations code does not need it but at least I could then mention in a comment that version 1 did not have the timestamps field...

@woodruffw
Copy link
Member

  • Are the only potential incompatibilities within pypi-attestations project or should I look elsewhere too?

That's the main place, yeah 🙂

  • The attestation has a version (1), should that be bumped? the pypi-attestations code does not need it but at least I could then mention in a comment that version 1 did not have the timestamps field...

Yeah, I think we probably should bump it -- it's technically a semantic change to verification.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@woodruffw woodruffw woodruffw left review comments

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jku @woodruffw