gitsign verify fails erratically (~50% of the time) when verifying timestamp signatures

[ajh-]

Description

Using a private Sigstore setup in AWS, gitsign verify erratically fails to verify timestamp signatures with the error timestamp authority verification failed. It seems to happen about ~50% of the time with no consistent pattern.

For example, it could successfully verify 5 commits in a row, fail the next 3, succeed 1, fail 2, succeed 3, fail 4, etc. Removing timestamps from the signing and verification process results in 100% successful verifications (as expected).

When using cosign sign and cosign verify against the same private Sigstore infrastructure, timestamp verifications are 100% successful.

sigstore/timestamp-authority is deployed as the timestamp authority server in this setup and uses an AWS KMS key for signing requests.

Version
v0.10.2

[ajh-]

After some additional troubleshooting, gitsign seems to throw an error when the certificate notBefore value is equal to the signingTime value:

PKCS7: 
  type: pkcs7-signedData (1.2.840.113549.1.7.2)
  d.sign: 
    version: 1
    md_algs:
        algorithm: sha256 (2.16.840.1.101.3.4.2.1)
        parameter: <ABSENT>
    contents: 
      type: pkcs7-data (1.2.840.113549.1.7.1)
      d.data: <ABSENT>
    cert:
        cert_info: 
          version: 2
          serialNumber: ...
          signature: 
            algorithm: ecdsa-with-SHA256 (1.2.840.10045.4.3.2)
            parameter: <ABSENT>
          issuer: CN=sigstore-fulcio
          validity: 
            notBefore: Nov  4 15:40:57 2024 GMT
            notAfter: Nov  4 15:50:57 2024 GMT
            ...
    signer_info:
            ...
            object: signingTime (1.2.840.113549.1.9.5)
            value.set:
              UTCTIME:Nov  4 15:40:57 2024 GMT

When signingTime is later than the notBefore value, gitsign verifies the timestamp as expected:

PKCS7: 
  type: pkcs7-signedData (1.2.840.113549.1.7.2)
  d.sign: 
    version: 1
    md_algs:
        algorithm: sha256 (2.16.840.1.101.3.4.2.1)
        parameter: <ABSENT>
    contents: 
      type: pkcs7-data (1.2.840.113549.1.7.1)
      d.data: <ABSENT>
    cert:
        cert_info: 
          version: 2
          serialNumber: ...
          signature: 
            algorithm: ecdsa-with-SHA256 (1.2.840.10045.4.3.2)
            parameter: <ABSENT>
          issuer: CN=sigstore-fulcio
          validity: 
            notBefore: Nov  4 15:40:57 2024 GMT
            notAfter: Nov  4 15:50:57 2024 GMT
            ...
    signer_info:
            ...
            object: signingTime (1.2.840.113549.1.9.5)
            value.set:
              UTCTIME:Nov  4 15:40:58 2024 GMT

Based on my experience, if the certificate and timestamp are generated within the same time-based second, gitsign verify fails with the error:

Error: failed to verify detached signature: x509: certificate has expired or is not yet valid: timestamp authority verification failed