Update to upstream v1.2.8 by tommyd450 · Pull Request #218 · securesign/timestamp-authority

tommyd450 · 2025-06-04T09:28:35Z

Summary by Sourcery

Update project to upstream v1.2.8: extend certificate chain generation CLI, enhance timestamp request verification, include full issuing chain support, bump dependencies, refresh docs and CI workflows.

New Features:

fetch-tsa-certs now supports self-signed parent certificates, configurable validity and organization name
Allow including full issuing certificate chain in timestamp responses
Enforce digest length consistency and unsupported hash algorithm errors in timestamp requests

Bug Fixes:

Correct leaf certificate selection when only CA certs present in chain
Fix timestamp request verification to reject inconsistent digest lengths

Enhancements:

Add separate EKU validation for leaf and intermediate certificates
Expose certificate validity days remaining as a Prometheus gauge
Refactor NTP config parsing to use sigs.k8s.io/yaml

Build:

Bump Go toolchain to 1.24.1 and update numerous module dependencies
Update Dockerfile base images and docker-compose port mappings
Refresh goreleaser config to version 2 format

CI:

Upgrade GitHub Actions setup-go, cache, CodeQL, golangci-lint and add gen-check job
Revise .golangci.yml with updated linters and exclusion rules
Integrate goleak into tests for race detection

Documentation:

Add Certificate Maker documentation and usage examples to README
Update CHANGELOG.md for v1.2.8 release

Tests:

Add fuzz tests for JSON/DER request parsing
Extend API and verification tests for full chain and EKU rules
Include leak detection in CLI and API server tests

…#933) Bumps the actions group with 1 update: [github/codeql-action](https://github.com/github/codeql-action). Updates `github/codeql-action` from 3.28.1 to 3.28.2 - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@b6a472f...d68b2d4) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps golang from `51a6466` to `8c10f21`. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps the actions group with 2 updates: [github/codeql-action](https://github.com/github/codeql-action) and [codecov/codecov-action](https://github.com/codecov/codecov-action). Updates `github/codeql-action` from 3.28.2 to 3.28.3 - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@d68b2d4...dd196fa) Updates `codecov/codecov-action` from 5.1.2 to 5.2.0 - [Release notes](https://github.com/codecov/codecov-action/releases) - [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md) - [Commits](codecov/codecov-action@1e68e06...5a605bd) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions - dependency-name: codecov/codecov-action dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps the actions group with 3 updates: [anchore/sbom-action](https://github.com/anchore/sbom-action), [github/codeql-action](https://github.com/github/codeql-action) and [codecov/codecov-action](https://github.com/codecov/codecov-action). Updates `anchore/sbom-action` from 0.17.9 to 0.18.0 - [Release notes](https://github.com/anchore/sbom-action/releases) - [Changelog](https://github.com/anchore/sbom-action/blob/main/RELEASE.md) - [Commits](anchore/sbom-action@df80a98...f325610) Updates `github/codeql-action` from 3.28.3 to 3.28.4 - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@dd196fa...ee117c9) Updates `codecov/codecov-action` from 5.2.0 to 5.3.0 - [Release notes](https://github.com/codecov/codecov-action/releases) - [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md) - [Commits](codecov/codecov-action@5a605bd...0da7aa6) --- updated-dependencies: - dependency-name: anchore/sbom-action dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions - dependency-name: codecov/codecov-action dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps the actions group with 2 updates: [github/codeql-action](https://github.com/github/codeql-action) and [codecov/codecov-action](https://github.com/codecov/codecov-action). Updates `github/codeql-action` from 3.28.4 to 3.28.5 - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@ee117c9...f6091c0) Updates `codecov/codecov-action` from 5.3.0 to 5.3.1 - [Release notes](https://github.com/codecov/codecov-action/releases) - [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md) - [Commits](codecov/codecov-action@0da7aa6...13ce06b) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions - dependency-name: codecov/codecov-action dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…tore#936) Bumps the gomod group with 1 update: google.golang.org/protobuf. Updates `google.golang.org/protobuf` from 1.36.3 to 1.36.4 --- updated-dependencies: - dependency-name: google.golang.org/protobuf dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…#938) Bumps the actions group with 1 update: [github/codeql-action](https://github.com/github/codeql-action). Updates `github/codeql-action` from 3.28.5 to 3.28.6 - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@f6091c0...17a820b) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps the gomod group with 2 updates: [github.com/spf13/pflag](https://github.com/spf13/pflag) and [go.step.sm/crypto](https://github.com/smallstep/crypto). Updates `github.com/spf13/pflag` from 1.0.5 to 1.0.6 - [Release notes](https://github.com/spf13/pflag/releases) - [Commits](spf13/pflag@v1.0.5...v1.0.6) Updates `go.step.sm/crypto` from 0.57.0 to 0.57.1 - [Release notes](https://github.com/smallstep/crypto/releases) - [Commits](smallstep/crypto@v0.57.0...v0.57.1) --- updated-dependencies: - dependency-name: github.com/spf13/pflag dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: go.step.sm/crypto dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…#940) Bumps the actions group with 1 update: [github/codeql-action](https://github.com/github/codeql-action). Updates `github/codeql-action` from 3.28.6 to 3.28.8 - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@17a820b...dd74661) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* feat: adds cert templates. Signed-off-by: ianhundere <138915+ianhundere@users.noreply.github.com> * feat: splits/adds cert-utility to pgk/cmd. Signed-off-by: ianhundere <138915+ianhundere@users.noreply.github.com> * fix: enables timestamping / improves validation / includes leaf wording. Signed-off-by: ianhundere <138915+ianhundere@users.noreply.github.com> * feat: adds optional intermediate flag(s). Signed-off-by: ianhundere <138915+ianhundere@users.noreply.github.com> * fix: changes cloudkms flag to gcpkms and makes azure/gcp flags more descriptive. Signed-off-by: ianhundere <138915+ianhundere@users.noreply.github.com> * fix: makes env vars for azure tenant-id and gcp credentials file more consistent w/ flags. Signed-off-by: ianhundere <138915+ianhundere@users.noreply.github.com> * fix: changes kms-region flag to aws-region and gcpkms-credentials-file flag to gcp-credentials-file. Signed-off-by: ianhundere <138915+ianhundere@users.noreply.github.com> * fix: improves kms key validation across providers. Signed-off-by: ianhundere <138915+ianhundere@users.noreply.github.com> * feat: adds sigstore/sigstore for kms and hashivault support. Signed-off-by: ianhundere <138915+ianhundere@users.noreply.github.com> * docs: adds readme for tsa-certificate-maker. Signed-off-by: ianhundere <138915+ianhundere@users.noreply.github.com> * chore: adds tsa-cert-maker to make file. Signed-off-by: ianhundere <138915+ianhundere@users.noreply.github.com> * refactor: adds bobcallaway's fb. Signed-off-by: ianhundere <138915+ianhundere@users.noreply.github.com> * refactor: for usage errors, show help / for operational errors show json error. Signed-off-by: ianhundere <138915+ianhundere@users.noreply.github.com> * chore: groups flags, adds validation for root-id, removes signer wrapper, and other PR fb. Signed-off-by: ianhundere <138915+ianhundere@users.noreply.github.com> * refactor: adds certLife to replace before/after timestamps. Signed-off-by: ianhundere <138915+ianhundere@users.noreply.github.com> * feat: adds templating, positional arg for common name and other improvements. Signed-off-by: ianhundere <138915+ianhundere@users.noreply.github.com> * docs: updates docs. Signed-off-by: ianhundere <138915+ianhundere@users.noreply.github.com> * chore: reverts makefile and deletes tsa certmaker. Signed-off-by: ianhundere <138915+ianhundere@users.noreply.github.com> * chore: adds fb. Signed-off-by: ianhundere <138915+ianhundere@users.noreply.github.com> * chore: adds fb. Signed-off-by: ianhundere <138915+ianhundere@users.noreply.github.com> --------- Signed-off-by: ianhundere <138915+ianhundere@users.noreply.github.com>

Signed-off-by: Hayden B <hblauzvern@google.com>

Bumps golang from `8c10f21` to `e213430`. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…igstore#945) Bumps the docker group with 1 update: golang. Updates `golang` from 1.23.5 to 1.23.6 --- updated-dependencies: - dependency-name: golang dependency-type: direct:production update-type: version-update:semver-patch dependency-group: docker ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps the actions group with 2 updates: [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) and [golangci/golangci-lint-action](https://github.com/golangci/golangci-lint-action). Updates `sigstore/cosign-installer` from 3.7.0 to 3.8.0 - [Release notes](https://github.com/sigstore/cosign-installer/releases) - [Commits](sigstore/cosign-installer@dc72c7d...c56c2d3) Updates `golangci/golangci-lint-action` from 6.2.0 to 6.3.0 - [Release notes](https://github.com/golangci/golangci-lint-action/releases) - [Commits](golangci/golangci-lint-action@ec5d184...e60da84) --- updated-dependencies: - dependency-name: sigstore/cosign-installer dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions - dependency-name: golangci/golangci-lint-action dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…tore#947)

…#948)

…igstore#949) Bumps the actions group with 1 update: [golangci/golangci-lint-action](https://github.com/golangci/golangci-lint-action). Updates `golangci/golangci-lint-action` from 6.3.0 to 6.3.1 - [Release notes](https://github.com/golangci/golangci-lint-action/releases) - [Commits](golangci/golangci-lint-action@e60da84...2e78893) --- updated-dependencies: - dependency-name: golangci/golangci-lint-action dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…igstore#953)

Use org-default from https://github.com/sigstore/.github/blob/main/CODE_OF_CONDUCT.md instead Signed-off-by: Hayden B <haydentherapper@users.noreply.github.com>

…igstore#952) Bumps the docker group with 1 update: golang. Updates `golang` from 1.23.6 to 1.24.0 --- updated-dependencies: - dependency-name: golang dependency-type: direct:production update-type: version-update:semver-minor dependency-group: docker ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…igstore#961) Bumps [github.com/go-jose/go-jose/v4](https://github.com/go-jose/go-jose) from 4.0.2 to 4.0.5. - [Release notes](https://github.com/go-jose/go-jose/releases) - [Changelog](https://github.com/go-jose/go-jose/blob/main/CHANGELOG.md) - [Commits](go-jose/go-jose@v4.0.2...v4.0.5) --- updated-dependencies: - dependency-name: github.com/go-jose/go-jose/v4 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps golang from `2b1cbf2` to `5255fad`. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…igstore#957) Bumps the gomod group with 5 updates in the / directory: | Package | From | To | | --- | --- | --- | | [github.com/sigstore/sigstore](https://github.com/sigstore/sigstore) | `1.8.12` | `1.8.15` | | [github.com/sigstore/sigstore/pkg/signature/kms/aws](https://github.com/sigstore/sigstore) | `1.8.12` | `1.8.15` | | [github.com/sigstore/sigstore/pkg/signature/kms/azure](https://github.com/sigstore/sigstore) | `1.8.12` | `1.8.15` | | [github.com/sigstore/sigstore/pkg/signature/kms/gcp](https://github.com/sigstore/sigstore) | `1.8.12` | `1.8.15` | | [github.com/sigstore/sigstore/pkg/signature/kms/hashivault](https://github.com/sigstore/sigstore) | `1.8.12` | `1.8.15` | Updates `github.com/sigstore/sigstore` from 1.8.12 to 1.8.15 - [Release notes](https://github.com/sigstore/sigstore/releases) - [Commits](sigstore/sigstore@v1.8.12...v1.8.15) Updates `github.com/sigstore/sigstore/pkg/signature/kms/aws` from 1.8.12 to 1.8.15 - [Release notes](https://github.com/sigstore/sigstore/releases) - [Commits](sigstore/sigstore@v1.8.12...v1.8.15) Updates `github.com/sigstore/sigstore/pkg/signature/kms/azure` from 1.8.12 to 1.8.15 - [Release notes](https://github.com/sigstore/sigstore/releases) - [Commits](sigstore/sigstore@v1.8.12...v1.8.15) Updates `github.com/sigstore/sigstore/pkg/signature/kms/gcp` from 1.8.12 to 1.8.15 - [Release notes](https://github.com/sigstore/sigstore/releases) - [Commits](sigstore/sigstore@v1.8.12...v1.8.15) Updates `github.com/sigstore/sigstore/pkg/signature/kms/hashivault` from 1.8.12 to 1.8.15 - [Release notes](https://github.com/sigstore/sigstore/releases) - [Commits](sigstore/sigstore@v1.8.12...v1.8.15) --- updated-dependencies: - dependency-name: github.com/sigstore/sigstore dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: github.com/sigstore/sigstore/pkg/signature/kms/aws dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: github.com/sigstore/sigstore/pkg/signature/kms/azure dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: github.com/sigstore/sigstore/pkg/signature/kms/gcp dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod - dependency-name: github.com/sigstore/sigstore/pkg/signature/kms/hashivault dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gomod ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…sigstore#962) * chore(deps): bump the actions group across 1 directory with 7 updates Bumps the actions group with 7 updates in the / directory: | Package | From | To | | --- | --- | --- | | [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) | `3.8.0` | `3.8.1` | | [github/codeql-action](https://github.com/github/codeql-action) | `3.28.9` | `3.28.10` | | [slsa-framework/slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator) | `2.0.0` | `2.1.0` | | [ossf/scorecard-action](https://github.com/ossf/scorecard-action) | `2.4.0` | `2.4.1` | | [actions/upload-artifact](https://github.com/actions/upload-artifact) | `4.6.0` | `4.6.1` | | [actions/cache](https://github.com/actions/cache) | `4.2.0` | `4.2.1` | | [golangci/golangci-lint-action](https://github.com/golangci/golangci-lint-action) | `6.4.0` | `6.5.0` | Updates `sigstore/cosign-installer` from 3.8.0 to 3.8.1 - [Release notes](https://github.com/sigstore/cosign-installer/releases) - [Commits](sigstore/cosign-installer@c56c2d3...d7d6bc7) Updates `github/codeql-action` from 3.28.9 to 3.28.10 - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@9e8d078...b56ba49) Updates `slsa-framework/slsa-github-generator` from 2.0.0 to 2.1.0 - [Release notes](https://github.com/slsa-framework/slsa-github-generator/releases) - [Changelog](https://github.com/slsa-framework/slsa-github-generator/blob/main/CHANGELOG.md) - [Commits](slsa-framework/slsa-github-generator@v2.0.0...v2.1.0) Updates `ossf/scorecard-action` from 2.4.0 to 2.4.1 - [Release notes](https://github.com/ossf/scorecard-action/releases) - [Changelog](https://github.com/ossf/scorecard-action/blob/main/RELEASE.md) - [Commits](ossf/scorecard-action@62b2cac...f49aabe) Updates `actions/upload-artifact` from 4.6.0 to 4.6.1 - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](actions/upload-artifact@65c4c4a...4cec3d8) Updates `actions/cache` from 4.2.0 to 4.2.1 - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](actions/cache@1bd1e32...0c907a7) Updates `golangci/golangci-lint-action` from 6.4.0 to 6.5.0 - [Release notes](https://github.com/golangci/golangci-lint-action/releases) - [Commits](golangci/golangci-lint-action@0adbc47...2226d7c) --- updated-dependencies: - dependency-name: sigstore/cosign-installer dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions - dependency-name: slsa-framework/slsa-github-generator dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions - dependency-name: ossf/scorecard-action dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions - dependency-name: actions/upload-artifact dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions - dependency-name: actions/cache dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions - dependency-name: golangci/golangci-lint-action dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions ... Signed-off-by: dependabot[bot] <support@github.com> * Update tests.yaml Signed-off-by: Carlos Tadeu Panato Junior <ctadeu@gmail.com> --------- Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Carlos Tadeu Panato Junior <ctadeu@gmail.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Carlos Tadeu Panato Junior <ctadeu@gmail.com>

Bumps golang from `5255fad` to `cd0c949`. --- updated-dependencies: - dependency-name: golang dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [github.com/prometheus/client_golang](https://github.com/prometheus/client_golang) from 1.20.5 to 1.21.0. - [Release notes](https://github.com/prometheus/client_golang/releases) - [Changelog](https://github.com/prometheus/client_golang/blob/main/CHANGELOG.md) - [Commits](prometheus/client_golang@v1.20.5...v1.21.0) --- updated-dependencies: - dependency-name: github.com/prometheus/client_golang dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…ore#967) Bumps [github.com/google/go-cmp](https://github.com/google/go-cmp) from 0.6.0 to 0.7.0. - [Release notes](https://github.com/google/go-cmp/releases) - [Commits](google/go-cmp@v0.6.0...v0.7.0) --- updated-dependencies: - dependency-name: github.com/google/go-cmp dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [github.com/go-playground/validator/v10](https://github.com/go-playground/validator) from 10.24.0 to 10.25.0. - [Release notes](https://github.com/go-playground/validator/releases) - [Commits](go-playground/validator@v10.24.0...v10.25.0) --- updated-dependencies: - dependency-name: github.com/go-playground/validator/v10 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

)

…#1060) Bumps the actions group with 1 update: [github/codeql-action](https://github.com/github/codeql-action). Updates `github/codeql-action` from 3.28.16 to 3.28.17 - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@28deaed...60168ef) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 3.28.17 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [golang.org/x/net](https://github.com/golang/net) from 0.39.0 to 0.40.0. - [Commits](golang/net@v0.39.0...v0.40.0) --- updated-dependencies: - dependency-name: golang.org/x/net dependency-version: 0.40.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…igstore#1062) * chore(deps): bump golangci/golangci-lint-action from 7.0.0 to 8.0.0 Bumps [golangci/golangci-lint-action](https://github.com/golangci/golangci-lint-action) from 7.0.0 to 8.0.0. - [Release notes](https://github.com/golangci/golangci-lint-action/releases) - [Commits](golangci/golangci-lint-action@1481404...4afd733) --- updated-dependencies: - dependency-name: golangci/golangci-lint-action dependency-version: 8.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> * Update tests.yaml Signed-off-by: Carlos Tadeu Panato Junior <ctadeu@gmail.com> --------- Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Carlos Tadeu Panato Junior <ctadeu@gmail.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Carlos Tadeu Panato Junior <ctadeu@gmail.com>

…igstore#1065) Bumps the docker group with 1 update: golang. Updates `golang` from 1.24.2 to 1.24.3 --- updated-dependencies: - dependency-name: golang dependency-version: 1.24.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: docker ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…with hash algorithm (sigstore#1066) * Validate hash algorithm availability and digest length in timestamp requests Signed-off-by: Aaron Lew <64337293+aaronlew02@users.noreply.github.com> * Add timestamp request verification to JSON request parser Signed-off-by: Aaron Lew <64337293+aaronlew02@users.noreply.github.com> * Create VerifyTimestampRequest and verify hash algorithm supported Signed-off-by: Aaron Lew <64337293+aaronlew02@users.noreply.github.com> * Fix typo in comment Signed-off-by: Aaron Lew <64337293+aaronlew02@users.noreply.github.com> * Fix case of verifyTimestampRequest function name Signed-off-by: Aaron Lew <64337293+aaronlew02@users.noreply.github.com> --------- Signed-off-by: Aaron Lew <64337293+aaronlew02@users.noreply.github.com>

Bumps the actions group with 1 update: [actions/setup-go](https://github.com/actions/setup-go). Updates `actions/setup-go` from 5.4.0 to 5.5.0 - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](actions/setup-go@0aaccfd...d35c59a) --- updated-dependencies: - dependency-name: actions/setup-go dependency-version: 5.5.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…#1068) Bumps [github.com/tink-crypto/tink-go-hcvault/v2](https://github.com/tink-crypto/tink-go-hcvault) from 2.2.0 to 2.3.0. - [Release notes](https://github.com/tink-crypto/tink-go-hcvault/releases) - [Commits](tink-crypto/tink-go-hcvault@v2.2.0...v2.3.0) --- updated-dependencies: - dependency-name: github.com/tink-crypto/tink-go-hcvault/v2 dependency-version: 2.3.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Signed-off-by: Hayden B <8418760+haydentherapper@users.noreply.github.com> Co-authored-by: Hayden B <8418760+haydentherapper@users.noreply.github.com>

…1070) Bumps the actions group with 1 update: [anchore/sbom-action](https://github.com/anchore/sbom-action). Updates `anchore/sbom-action` from 0.19.0 to 0.20.0 - [Release notes](https://github.com/anchore/sbom-action/releases) - [Changelog](https://github.com/anchore/sbom-action/blob/main/RELEASE.md) - [Commits](anchore/sbom-action@9f73021...e11c554) --- updated-dependencies: - dependency-name: anchore/sbom-action dependency-version: 0.20.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps golang from `39d9e7d` to `86b4cff`. --- updated-dependencies: - dependency-name: golang dependency-version: 1.24.3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps the actions group with 2 updates: [github/codeql-action](https://github.com/github/codeql-action) and [codecov/codecov-action](https://github.com/codecov/codecov-action). Updates `github/codeql-action` from 3.28.17 to 3.28.18 - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@60168ef...ff0a06e) Updates `codecov/codecov-action` from 5.4.2 to 5.4.3 - [Release notes](https://github.com/codecov/codecov-action/releases) - [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md) - [Commits](codecov/codecov-action@ad3126e...18283e0) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 3.28.18 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions - dependency-name: codecov/codecov-action dependency-version: 5.4.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

) Bumps [go.step.sm/crypto](https://github.com/smallstep/crypto) from 0.63.0 to 0.64.0. - [Release notes](https://github.com/smallstep/crypto/releases) - [Commits](smallstep/crypto@v0.63.0...v0.64.0) --- updated-dependencies: - dependency-name: go.step.sm/crypto dependency-version: 0.64.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps golang from `86b4cff` to `02a2275`. --- updated-dependencies: - dependency-name: golang dependency-version: 1.24.3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps golang from `02a2275` to `4c0a181`. --- updated-dependencies: - dependency-name: golang dependency-version: 1.24.3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

) Bumps [go.step.sm/crypto](https://github.com/smallstep/crypto) from 0.64.0 to 0.65.0. - [Release notes](https://github.com/smallstep/crypto/releases) - [Commits](smallstep/crypto@v0.64.0...v0.65.0) --- updated-dependencies: - dependency-name: go.step.sm/crypto dependency-version: 0.65.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

) Bumps [go.step.sm/crypto](https://github.com/smallstep/crypto) from 0.65.0 to 0.66.0. - [Release notes](https://github.com/smallstep/crypto/releases) - [Commits](smallstep/crypto@v0.65.0...v0.66.0) --- updated-dependencies: - dependency-name: go.step.sm/crypto dependency-version: 0.66.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…e#1081) Bumps the actions group with 1 update: [ossf/scorecard-action](https://github.com/ossf/scorecard-action). Updates `ossf/scorecard-action` from 2.4.1 to 2.4.2 - [Release notes](https://github.com/ossf/scorecard-action/releases) - [Changelog](https://github.com/ossf/scorecard-action/blob/main/RELEASE.md) - [Commits](ossf/scorecard-action@f49aabe...05b42c6) --- updated-dependencies: - dependency-name: ossf/scorecard-action dependency-version: 2.4.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps golang from `4c0a181` to `81bf592`. --- updated-dependencies: - dependency-name: golang dependency-version: 1.24.3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…e#1078) Signed-off-by: mktgbnk <104921176+mktgbnk@users.noreply.github.com>

Fixes sigstore#1079 Per RFC3161, when the certReq field is set to true, the TSA's certificate will be present in the timestamp response, and optionally other certificates may be present. Other public TSAs provide the full issuing chain in the response. This PR adds a server configuration flag to include the full chain in the response if the certReq bit is true. Signed-off-by: Hayden B <8418760+haydentherapper@users.noreply.github.com>

Signed-off-by: Hayden B <8418760+haydentherapper@users.noreply.github.com> Co-authored-by: Hayden B <8418760+haydentherapper@users.noreply.github.com>

sourcery-ai · 2025-06-04T09:28:40Z

Reviewer's Guide

This PR upgrades to upstream v1.2.8 by refactoring the TSA certificate fetch CLI to support both CA-issued and self-signed chains, migrating Tink integration to the new tink-crypto v2 libraries, extending timestamp request validation and full chain response support, overhauling certificate and Extended Key Usage verification, and bumping dependencies and CI/CD workflows to their latest versions.

Sequence Diagram: Certificate Chain Generation with Self-Signed Parent

sequenceDiagram
    actor User
    participant CLI as "fetch-tsa-certs CLI"
    participant ParentKMS as "KMS (Parent Key)"
    participant LeafSignerProvider as "Leaf Signer Provider (KMS/Tink)"
    participant CertGenerator as "Internal Certificate Generator"

    User->>CLI: Execute with --parent-kms-resource, --parent-validity, --org-name, leaf opts (no --gcp-ca-root)
    CLI->>ParentKMS: Get signer for parent key
    ParentKMS-->>CLI: Parent Signer & Public Key
    CLI->>CertGenerator: Create self-signed parent certificate (using Parent Signer, Parent Public Key, validity, orgName)
    CertGenerator-->>CLI: Self-Signed Parent Certificate
    CLI->>LeafSignerProvider: Get signer for leaf key
    LeafSignerProvider-->>CLI: Leaf Signer & Public Key
    CLI->>CertGenerator: Create leaf certificate (signed by Parent Signer, using Leaf Public Key, Parent Cert, orgName)
    CertGenerator-->>CLI: Leaf Certificate
    CLI->>User: Output certificate chain (Leaf + Self-Signed Parent)

Sequence Diagram: Certificate Chain Generation with CA-Issued Intermediate

sequenceDiagram
    actor User
    participant CLI as "fetch-tsa-certs CLI"
    participant ParentKMS as "KMS (Parent/Intermediate Key)"
    participant GCPSCA as "GCP CA Service"
    participant LeafSignerProvider as "Leaf Signer Provider (KMS/Tink)"
    participant CertGenerator as "Internal Certificate Generator"

    User->>CLI: Execute with --gcp-ca-root, --parent-kms-resource, --org-name, leaf opts
    CLI->>ParentKMS: Get signer for parent/intermediate key
    ParentKMS-->>CLI: Parent/Intermediate Signer & Public Key
    CLI->>GCPSCA: Request intermediate certificate for Parent/Intermediate Public Key (using gcpCaRoot, validity, orgName)
    GCPSCA-->>CLI: Intermediate Certificate + CA Chain
    CLI->>LeafSignerProvider: Get signer for leaf key
    LeafSignerProvider-->>CLI: Leaf Signer & Public Key
    CLI->>CertGenerator: Create leaf certificate (signed by Parent/Intermediate Signer, using Leaf Public Key, Intermediate Cert, orgName)
    CertGenerator-->>CLI: Leaf Certificate
    CLI->>User: Output certificate chain (Leaf + Intermediate + CA Chain)

Class Diagram: API Structure and Verification Logic Changes

classDiagram
  class API {
    <<Struct: pkg/api/api.go>>
    +tsaSigner crypto.Signer
    +tsaSignerHash crypto.Hash
    +certChain []*x509.Certificate
    +certChainPem string
    +includeChain bool
    +NewAPI() (*API, error)
  }

  class TimestampAPIHandler {
    <<Functions: pkg/api/timestamp.go>>
    +verifyTimestampRequest(tsReq *timestamp.Request) (*timestamp.Request, string, error)
    +TimestampResponseHandler(params ts.GetTimestampResponseParams) middleware.Responder
    +ParseJSONRequest(reqBytes []byte) (*timestamp.Request, string, error)
    +parseDERRequest(reqBytes []byte) (*timestamp.Request, string, error)
  }

  class Verification {
    <<Functions & Vars: pkg/verification>>
    +verifyLeafExtendedKeyUsage(cert *x509.Certificate) error
    +verifyIntermediateExtendedKeyUsage(cert *x509.Certificate) error
    +VerifyRequest(ts *timestamp.Request) error
    +ErrUnsupportedHashAlg error
    +ErrInconsistentDigestLength error
  }

  API -- TimestampAPIHandler : API struct instance is used by handlers
  TimestampAPIHandler ..> Verification : Uses verification functions & errors

Updated Class Diagram for Tink Signer Functions (pkg/signer/tink.go)

classDiagram
  class TinkSignerUtil {
    <<Go Package: pkg/signer>>
    +NewTinkSigner(tinkKeysetPath string, primaryKey tink.AEAD) (crypto.Signer, error)
    +GetPrimaryKey(ctx context.Context, kmsKey string, hcVaultToken string) (tink.AEAD, error)
  }
  %% NewTinkSigner(): context.Context parameter removed.
  %% KeyHandleToSigner() function was removed (functionality moved to sigstore/tinkUtils).
  %% Dependencies updated from google/tink to tink-crypto/tink-go/v2.

Updated Class Diagram for fetchCertificateChain Function (cmd/fetch-tsa-certs/fetch_tsa_certs.go)

classDiagram
  class FetchCertsUtil {
    <<Go File: cmd/fetch-tsa-certs/fetch_tsa_certs.go>>
    +fetchCertificateChain(ctx context.Context, root string, parentKMSKey string, leafKMSKey string, tinkKeysetPath string, tinkKmsKey string, client *privateca.CertificateAuthorityClient) ([]*x509.Certificate, error)
    +main()
  }
  %% fetchCertificateChain() parameters changed: 'parent' string to 'root' string, 'intermediateKMSKey' string to 'parentKMSKey' string.
  %% CLI flags used by main() and passed to fetchCertificateChain() have changed (e.g. gcp-ca-parent to gcp-ca-root, new parent-validity, org-name).

File-Level Changes

Change	Details	Files
Refactor fetch-tsa-certs to support CA-signed and self-signed parent certificates	Renamed flags: gcp-ca-parent→gcp-ca-root, intermediate-kms→parent-kms, added org-name and parent-validity Combined CA and self-signed parent logic into fetchCertificateChain, building a unified certChain Updated main() flag validations and README usage examples Added Certificate Maker docs for detailed chain generation	`cmd/fetch-tsa-certs/fetch_tsa_certs.go` `README.md` `docs/certificate-maker.md`
Migrate Tink integration to tink-crypto v2 and centralize signer conversion	Replaced google/tink imports with github.com/tink-crypto/tink-go/v2 and related KMS integrations Changed NewTinkSigner signature to drop context parameter Delegated KeyHandleToSigner calls to sigstore/pkg/signature/tink Removed legacy inlined KeyHandleToSigner implementation Updated signer tests to use new tink-crypto imports and APIs	`pkg/signer/tink.go` `pkg/signer/tink_test.go` `pkg/signer/signer.go`
Enhance timestamp API to validate requests and optionally include full issuing chain	Extended VerifyRequest to detect weak, unsupported algorithms, and mismatched digest lengths Added include-chain-in-response flag in CLI, stored in API.includeChain Modified TimestampResponseHandler to conditionally append full certChain vs leaf only Consolidated error mapping in parseJSON/DER handlers via verifyTimestampRequest helper	`pkg/api/timestamp.go` `pkg/api/api.go` `pkg/api/error.go`
Improve certificate and EKU verification logic and tests	Refactored verifyLeafCert to locate non-CA leaf and error if missing Split EKU checks into verifyLeafExtendedKeyUsage and verifyIntermediateExtendedKeyUsage Updated verifyLeafAndIntermediatesTimestampingEKU to invoke respective leaf/intermediate logic Augmented tests in pkg/verification to cover missing leaf, multiple EKU scenarios, and error messages	`pkg/verification/verify.go` `pkg/verification/verify_test.go` `pkg/verification/verify_request.go` `pkg/verification/verify_request_test.go`
Bump dependencies and revamp CI/CD workflows	Updated go.mod and hack/tools/go.mod dependency versions across core and indirect modules Upgraded GitHub Actions: setup-go, cache, codecov, golangci-lint, added gen-check job and tightened permissions Refined .golangci.yml with updated linters, formatters, and exclusions Adjusted Dockerfile base images, ports, and Docker Compose healthchecks Incremented goreleaser version_template and workflow action versions	`go.mod` `hack/tools/go.mod` `.github/workflows/tests.yaml` `.github/workflows/build-snapshot.yaml` `.github/workflows/codeql_analysis.yaml` `.github/workflows/golangci.yml` `Dockerfile` `.goreleaser.yml`

Tips and commands

Interacting with Sourcery

Trigger a new review: Comment @sourcery-ai review on the pull request.
Continue discussions: Reply directly to Sourcery's review comments.
Generate a GitHub issue from a review comment: Ask Sourcery to create an
issue from a review comment by replying to it. You can also reply to a
review comment with @sourcery-ai issue to create an issue from it.
Generate a pull request title: Write @sourcery-ai anywhere in the pull
request title to generate a title at any time. You can also comment
@sourcery-ai title on the pull request to (re-)generate the title at any time.
Generate a pull request summary: Write @sourcery-ai summary anywhere in
the pull request body to generate a PR summary at any time exactly where you
want it. You can also comment @sourcery-ai summary on the pull request to
(re-)generate the summary at any time.
Generate reviewer's guide: Comment @sourcery-ai guide on the pull
request to (re-)generate the reviewer's guide at any time.
Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
pull request to resolve all Sourcery comments. Useful if you've already
addressed all the comments and don't want to see them anymore.
Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
request to dismiss all existing Sourcery reviews. Especially useful if you
want to start fresh with a new review - don't forget to comment
@sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

Enable or disable review features such as the Sourcery-generated pull request
summary, the reviewer's guide, and others.
Change the review language.
Add, remove or edit custom review instructions.
Adjust other review settings.

Getting Help

Contact our support team for questions or feedback.
Visit our documentation for detailed guides and information.
Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

sourcery-ai

Hey @tommyd450 - I've reviewed your changes and they look great!

Here's what I looked at during the review

🟡 General issues: 2 issues found
🟢 Security: all looks good
🟢 Testing: all looks good
🟢 Documentation: all looks good

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

sourcery-ai · 2025-06-04T09:35:56Z

+func verifyIntermediateExtendedKeyUsage(cert *x509.Certificate) error {
+	// If no EKU specified it means unrestricted usage
+	if len(cert.ExtKeyUsage) == 0 {
+		return nil
+	}


suggestion: Intermediate EKU verification allows unrestricted usage if EKU is empty.

If stricter policy is needed, consider requiring at least one EKU or making this behavior configurable.

Suggested change

func verifyIntermediateExtendedKeyUsage(cert *x509.Certificate) error {

// If no EKU specified it means unrestricted usage

if len(cert.ExtKeyUsage) == 0 {

return nil

}

var AllowUnrestrictedIntermediateEKU = true

func verifyIntermediateExtendedKeyUsage(cert *x509.Certificate) error {

// If no EKU specified, allow unrestricted usage only if policy allows

if len(cert.ExtKeyUsage) == 0 {

if AllowUnrestrictedIntermediateEKU {

return nil

}

return fmt.Errorf("intermediate certificate must specify at least one extended key usage")

}

sourcery-ai · 2025-06-04T09:35:56Z

+
+## Templates
+
+These [TSA-specific certificate templates](pkg/certmaker/templates) are specifically configured for Timestamp Authority certificates with appropriate extensions and constraints:


issue: Broken relative link to templates.

Update the link to ../pkg/certmaker/templates so it resolves correctly from the docs directory.

dependabot Bot and others added 30 commits January 22, 2025 12:52

Fix codeowners syntax, add dep-maintainers (sigstore#944)

2c3d6c6

Signed-off-by: Hayden B <hblauzvern@google.com>

chore(deps): bump google.golang.org/protobuf in the gomod group (sigs…

5465725

…tore#947)

chore(deps): bump github/codeql-action in the actions group (sigstore…

db08398

…#948)

chore(deps): bump the actions group with 2 updates (sigstore#950)

a7648e2

chore(deps): bump golang.org/x/net from 0.34.0 to 0.35.0 (sigstore#951)

b368fd0

chore(deps): bump golangci/golangci-lint-action in the actions group (s…

4dac80c

…igstore#953)

Delete CODE_OF_CONDUCT.md (sigstore#959)

f485ba0

Use org-default from https://github.com/sigstore/.github/blob/main/CODE_OF_CONDUCT.md instead Signed-off-by: Hayden B <haydentherapper@users.noreply.github.com>

dependabot Bot and others added 23 commits May 2, 2025 13:58

chore(deps): bump go.step.sm/crypto from 0.62.0 to 0.63.0 (sigstore#1061

a3c7c3c

)

Add changelog for v1.2.7 (sigstore#1069)

1480c5e

Signed-off-by: Hayden B <8418760+haydentherapper@users.noreply.github.com> Co-authored-by: Hayden B <8418760+haydentherapper@users.noreply.github.com>

Relax EKU chaining rules verification for intermediate certs (sigstor…

0fa3135

…e#1078) Signed-off-by: mktgbnk <104921176+mktgbnk@users.noreply.github.com>

Add CHANGELOG for v1.2.8 (sigstore#1083)

4d715a6

Signed-off-by: Hayden B <8418760+haydentherapper@users.noreply.github.com> Co-authored-by: Hayden B <8418760+haydentherapper@users.noreply.github.com>

Merge remote-tracking branch 'upstream'

f66a778

sourcery-ai Bot reviewed Jun 4, 2025

View reviewed changes

tommyd450 added 3 commits June 4, 2025 10:36

Updating packages to 1.23.6

769914c

Updating Hack Tools

6c12e6d

Updating Konflux Unit Tests

5543a8d

SequeI approved these changes Jun 5, 2025

View reviewed changes

SequeI merged commit 22406d0 into main Jun 5, 2025
16 checks passed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Update to upstream v1.2.8#218

Update to upstream v1.2.8#218
SequeI merged 133 commits into
mainfrom
update-to-upstream

tommyd450 commented Jun 4, 2025 •

edited by sourcery-ai Bot

Loading

Uh oh!

sourcery-ai Bot commented Jun 4, 2025 •

edited

Loading

Interacting with Sourcery

Customizing Your Experience

Getting Help

Uh oh!

sourcery-ai Bot left a comment

Uh oh!

sourcery-ai Bot Jun 4, 2025

Uh oh!

sourcery-ai Bot Jun 4, 2025

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

8 participants


		## Templates

		These [TSA-specific certificate templates](pkg/certmaker/templates) are specifically configured for Timestamp Authority certificates with appropriate extensions and constraints:

Conversation

tommyd450 commented Jun 4, 2025 • edited by sourcery-ai Bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Summary by Sourcery

Uh oh!

sourcery-ai Bot commented Jun 4, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Reviewer's Guide

Sequence Diagram: Certificate Chain Generation with Self-Signed Parent

Sequence Diagram: Certificate Chain Generation with CA-Issued Intermediate

Class Diagram: API Structure and Verification Logic Changes

Updated Class Diagram for Tink Signer Functions (pkg/signer/tink.go)

Updated Class Diagram for fetchCertificateChain Function (cmd/fetch-tsa-certs/fetch_tsa_certs.go)

File-Level Changes

Interacting with Sourcery

Customizing Your Experience

Getting Help

Uh oh!

sourcery-ai Bot left a comment

Choose a reason for hiding this comment

Uh oh!

sourcery-ai Bot Jun 4, 2025

Choose a reason for hiding this comment

Uh oh!

sourcery-ai Bot Jun 4, 2025

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

8 participants

tommyd450 commented Jun 4, 2025 •

edited by sourcery-ai Bot

Loading

sourcery-ai Bot commented Jun 4, 2025 •

edited

Loading