Ensure pypi attestations can handle timestamps (and as result rekorv2 log entries) #142
Description
- sigstore public good instance is deploying a rekor v2 transparency log: https://blog.sigstore.dev/rekor-v2-alpha/
- the current rekor v1 log continues operations but long term it will become read-only at some point
- sigstore-python 4.0 supports rekorv2, however...
- rekorv2 entries do not contain an integrated timestamp: external timestamps are required. (for an example, Sigstore itself handles them by just droppign the RFC3161 timestamps in the signature bundles: https://github.com/sigstore/protobuf-specs/blob/main/protos/sigstore_bundle.proto#L108)
- Currently pypi attestations do not contain timestamps
the pypi attestations should be amended so they can contain timestamps as well