First release of Timestamp Authority 0.1.0

[Hayden Blauzvern]

We have the first release of a timestamp authority server and client! https://github.com/sigstore/timestamp-authority/releases/tag/v0.1.0

Time is a critical component of Sigstore - It's used to verify that a short-lived issued certificate was valid at a previous point, when an artifact was signed and a signer controlled an ephemeral signing key. Currently, we validate these certificates using the entry's time of integration into the Rekor log.

Signed timestamps can augment transparency log entries. Since the timestamps are signed, the time is immutable and verifiable. Additionally, by requesting a signed timestamp from a timestamp authority operated by a community member or organization, you are delegating providing trusted time to an independent source. You can upload signed timestamps to Rekor, and when verifying, you'll have an alternative source for providing trusted time.

Look forward to a blog post talking more about how to use signed timestamps in the very near future! In the meantime, join us at #timestamping to chat more about how we're improving Sigstore trustworthiness and auditability with signed timestamps and ideas for future improvements!

Try out the server and client, and let us know if you have any questions, issues, or feature requests!