feat: add RFC 3161 Timestamp Authority support for PKI signing#620
Open
SequeI wants to merge 1 commit intosigstore:mainfrom
Open
feat: add RFC 3161 Timestamp Authority support for PKI signing#620SequeI wants to merge 1 commit intosigstore:mainfrom
SequeI wants to merge 1 commit intosigstore:mainfrom
Conversation
Add optional --tsa-url flag to key, certificate, pkcs11-key, and pkcs11-certificate signing commands. When provided, the signature bundle includes a trusted timestamp from the specified TSA. The verifier uses the TSA timestamp (when present) to validate certificate chains, enabling signature verification even after the signing certificate has expired - as long as the signature was created while the certificate was valid. - Add request_timestamp() and get_timestamp_from_bundle() to sign_sigstore_pb.py - Update all PKI signers to accept tsa_url parameter - Update certificate verifier to use TSA timestamp for validation - Add --tsa-url CLI option to all PKI signing commands - Update README and CHANGELOG with documentation Signed-off-by: SequeI <asiek@redhat.com>
mihaimaruseac
requested changes
Mar 30, 2026
Comment on lines
+32
to
+33
| from rfc3161_client import decode_timestamp_response | ||
| from sigstore._internal.timestamp import TimestampAuthorityClient |
Member
There was a problem hiding this comment.
We use qualified imports throughout the library rather than importing the name directly. So, we'd spell out rfc3161_client.decode_timestamp_reponse at use site and here just do import rfc3161_client (and similar for the Sigstore import).
At the same time, we should not rely on internals. We should probably first request that this symbol is made public in sigstore-python and then revisit this if there's no public equivalent currently.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Add optional --tsa-url flag to key, certificate, pkcs11-key, and pkcs11-certificate signing commands. When provided, the signature bundle includes a trusted timestamp from the specified TSA.
The verifier uses the TSA timestamp (when present) to validate certificate chains, enabling signature verification even after the signing certificate has expired - as long as the signature was created while the certificate was valid.
Closes #603
Checklist