Sigstore Java has a vulnerability with bundle verification of integratedTime
Regression: Verification of integratedTime from Rekor V1 Log Entry against Fuclio Certificate validity was missing
Regression: Verification of integratedTime from Rekor V1 Log Entry against Fuclio Certificate validity was missing
sigstore-java has insufficient verification for a situation where a bundle provides a invalid signature for a checkpoint.
sigstore-java has insufficient verification for a situation where a validly-signed but "mismatched" bundle is presented as proof of inclusion into a transparency log