ignore tlog when using RFC3161Timestamp (#1874)

jkylekelly · web-flow · commit ccbb37f30097 · 2025-09-02T11:27:28.000+03:00
* ignore tlog when using RFC3161Timestamp

Signed-off-by: jkylekelly &lt;jkylekelly@github.com&gt;

* update wantCheckOpts for test

Signed-off-by: jkylekelly &lt;jkylekelly@github.com&gt;

---------

Signed-off-by: jkylekelly &lt;jkylekelly@github.com&gt;
diff --git a/pkg/webhook/validator.go b/pkg/webhook/validator.go
@@ -1405,6 +1405,7 @@ func checkOptsFromAuthority(ctx context.Context, authority webhookcip.Authority,
 				return nil, fmt.Errorf("when using the new bundle format, the trustRootRef for the TSA must be the same as the trustRootRef for the Keyless authority")
 			}
 			ret.UseSignedTimestamps = true
+			ret.IgnoreTlog = true
 		}
 
 		// Check for custom Rekor
diff --git a/pkg/webhook/validator_test.go b/pkg/webhook/validator_test.go
@@ -3428,6 +3428,7 @@ func TestCheckOptsFromAuthority(t *testing.T) {
 			NewBundleFormat:     true,
 			UseSignedTimestamps: true,
 			TrustedMaterial:     &root.TrustedRoot{},
+			IgnoreTlog:          true,
 		},
 	}, {
 		name: "bundle format, bad TrustRootRef",

Original file line number	Diff line number	Diff line change
`@@ -1405,6 +1405,7 @@ func checkOptsFromAuthority(ctx context.Context, authority webhookcip.Authority,`
`1405`	`1405`	`return nil, fmt.Errorf("when using the new bundle format, the trustRootRef for the TSA must be the same as the trustRootRef for the Keyless authority")`
`1406`	`1406`	`}`
`1407`	`1407`	`ret.UseSignedTimestamps = true`
	`1408`	`+ ret.IgnoreTlog = true`
`1408`	`1409`	`}`
`1409`	`1410`
`1410`	`1411`	`// Check for custom Rekor`