Trusted Time in Sigstore
Time in Sigstore Time is a critical component of Sigstore. It’s used to verify that a short-lived certificate issued by Fulcio was valid at a previous point, when the artifact was signed. As a reminder, the default signing flow for Sigstore clients includes the following: Signer requests an identity token from an OpenID Connect provider Signer generates an ephemeral keypair Signer sends the public key and identity token to Fulcio, Sigstore’s certificate authority Fulcio issues a short-lived (10 minute expiration) code-signing certificate Signer signs the artifact, and uploads the artifact, the certificate, and signature to Rekor, Sigstore’s transparency log During artifact verification, a client must verify the certificate.