Address comments

Signed-off-by: Hayden Blauzvern <hblauzvern@google.com>

cmd/cosign/cli/options/verify.go

@@ -165,7 +165,7 @@ func (o *VerifyBlobOptions) AddFlags(cmd *cobra.Command) {
 		"path to bundle FILE")
 
 	cmd.Flags().StringVar(&o.RFC3161TimestampPath, "rfc3161-timestamp", "",
-		"path to rfc3161 timestamp FILE")
+		"path to RFC3161 timestamp FILE")
 }
 
 // VerifyDockerfileOptions is the top level wrapper for the `dockerfile verify` command.

cmd/cosign/cli/sign/sign_blob.go

@@ -74,6 +74,10 @@ func SignBlobCmd(ro *options.RootOptions, ko options.KeyOpts, payloadPath string
 
 	var rfc3161Timestamp *cbundle.RFC3161Timestamp
 	if ko.TSAServerURL != "" {
+		if ko.RFC3161TimestampPath == "" {
+			return nil, fmt.Errorf("timestamp output path must be set")
+		}
+
 		clientTSA, err := tsaclient.GetTimestampClient(ko.TSAServerURL)
 		if err != nil {
 			return nil, fmt.Errorf("failed to create TSA client: %w", err)
@@ -86,6 +90,18 @@ func SignBlobCmd(ro *options.RootOptions, ko options.KeyOpts, payloadPath string
 
 		rfc3161Timestamp = cbundle.TimestampToRFC3161Timestamp(respBytes)
 		// TODO: Consider uploading RFC3161 TS to Rekor
+
+		if rfc3161Timestamp == nil {
+			return nil, fmt.Errorf("rfc3161 timestamp is nil")
+		}
+		ts, err := json.Marshal(rfc3161Timestamp)
+		if err != nil {
+			return nil, err
+		}
+		if err := os.WriteFile(ko.RFC3161TimestampPath, ts, 0600); err != nil {
+			return nil, fmt.Errorf("create rfc3161 timestamp file: %w", err)
+		}
+		fmt.Printf("RFC3161 timestamp bundle written to file %s\n", ko.RFC3161TimestampPath)
 	}
 	if ShouldUploadToTlog(ctx, ko, nil, tlogUpload) {
 		rekorBytes, err = sv.Bytes(ctx)
@@ -104,17 +120,6 @@ func SignBlobCmd(ro *options.RootOptions, ko options.KeyOpts, payloadPath string
 		signedPayload.Bundle = cbundle.EntryToBundle(entry)
 	}
 
-	if ko.RFC3161TimestampPath != "" && rfc3161Timestamp != nil {
-		ts, err := json.Marshal(rfc3161Timestamp)
-		if err != nil {
-			return nil, err
-		}
-		if err := os.WriteFile(ko.RFC3161TimestampPath, ts, 0600); err != nil {
-			return nil, fmt.Errorf("create rfc3161 timestamp file: %w", err)
-		}
-		fmt.Printf("RFC3161 timestamp bundle written to file %s\n", ko.RFC3161TimestampPath)
-	}
-
 	// if bundle is specified, just do that and ignore the rest
 	if ko.BundlePath != "" {
 		signedPayload.Base64Signature = base64.StdEncoding.EncodeToString(sig)

specs/SIGNATURE_SPEC.md

@@ -131,7 +131,7 @@ For instructions on using the `bundle` for verification, see [USAGE.md](../USAGE
 
 * `rfc3161timestamp` string
 
-  This OPTIONAL property contains a JSON formatted `RFC3161Timestamp` bundle containing the timestamp response from a
+  This OPTIONAL property contains a JSON formatted `RFC3161Timestamp` containing the timestamp response from a
   timestamp authority.
 
 ## Storage