Verify that timestamp is before the signing certificate expiry (#42)

* _verify: Verify that integrated time falls between certificate
validity window

* _verify: Use UTC timestamp

* _verify: tweak notAfter verification

Co-authored-by: William Woodruff <[email protected]>

Author: tetsuo-cpp

sigstore/_verify.py

@@ -3,6 +3,7 @@
 """
 
 import base64
+import datetime
 import hashlib
 from importlib import resources
 from typing import Optional, TextIO, cast
@@ -74,6 +75,8 @@ def verify(
     #
     # 4) Verify the inclusion proof supplied by Rekor for this artifact
     # 5) Verify the Signed Entry Timestamp (SET) supplied by Rekor for this artifact
+    # 6) Verify that the signing certificate was valid at the time of signing by comparing the
+    #    expiry against the integrated timestamp
 
     # 1) Verify that the signing certificate is signed by the root certificate and that the signing
     #    certificate was valid at the time of signing.
@@ -157,6 +160,18 @@ def verify(
             output(f"Failed to validate Rekor entry's SET: {inval_set}")
             continue
 
+        # 6) Verify that the signing certificate was valid at the time of signing
+        integrated_time = datetime.datetime.utcfromtimestamp(entry.integrated_time)
+        if (
+            integrated_time < cert.not_valid_before
+            or integrated_time >= cert.not_valid_after
+        ):
+            # No need to log anything here.
+            #
+            # If an artifact has been signed multiple times, this will happen so it's not really an
+            # error case.
+            continue
+
         valid_sig_exists = True
 
     if not valid_sig_exists: