Don't require timestamps when verifying with a key

go.mod

@@ -37,7 +37,7 @@ require (
 	github.com/sigstore/rekor v1.4.0
 	github.com/sigstore/rekor-tiles v0.1.7-0.20250624231741-98cd4a77300f
 	github.com/sigstore/sigstore v1.9.5
-	github.com/sigstore/sigstore-go v1.1.1
+	github.com/sigstore/sigstore-go v1.1.2-0.20250811211025-bac873564adb
 	github.com/sigstore/sigstore/pkg/signature/kms/aws v1.9.5
 	github.com/sigstore/sigstore/pkg/signature/kms/azure v1.9.5
 	github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.9.6-0.20250729224751-181c5d3339b3
@@ -287,7 +287,7 @@ require (
 	go.uber.org/zap v1.27.0 // indirect
 	go.yaml.in/yaml/v2 v2.4.2 // indirect
 	golang.org/x/exp v0.0.0-20250408133849-7e4ce0ab07d0 // indirect
-	golang.org/x/mod v0.26.0 // indirect
+	golang.org/x/mod v0.27.0 // indirect
 	golang.org/x/net v0.42.0 // indirect
 	golang.org/x/sys v0.35.0 // indirect
 	golang.org/x/text v0.28.0 // indirect

go.sum

@@ -1418,8 +1418,8 @@ github.com/sigstore/rekor-tiles v0.1.7-0.20250624231741-98cd4a77300f h1:zaqWahYA
 github.com/sigstore/rekor-tiles v0.1.7-0.20250624231741-98cd4a77300f/go.mod h1:1Epq0PQ73v5Z276rAY241JyaP8gtD64I6sgYIECHPvc=
 github.com/sigstore/sigstore v1.9.5 h1:Wm1LT9yF4LhQdEMy5A2JeGRHTrAWGjT3ubE5JUSrGVU=
 github.com/sigstore/sigstore v1.9.5/go.mod h1:VtxgvGqCmEZN9X2zhFSOkfXxvKUjpy8RpUW39oCtoII=
-github.com/sigstore/sigstore-go v1.1.1 h1:S1w6DqVX/lvEC+zFCymmiVc8Lxpa+VXQThcww8Jksqo=
-github.com/sigstore/sigstore-go v1.1.1/go.mod h1:hZANT1PkDy+RcHfXv76T+Lfv7K4AdM/PcuT2IWV2Uq4=
+github.com/sigstore/sigstore-go v1.1.2-0.20250811211025-bac873564adb h1:Yy/pIVtUFjyTSAbr+7jIg5YKTaDXsoHAn9/a8DMyAhQ=
+github.com/sigstore/sigstore-go v1.1.2-0.20250811211025-bac873564adb/go.mod h1:kjsxkuzk8dd8bCODeVb9lDSYiMRxxomF3MvBMstHqJM=
 github.com/sigstore/sigstore/pkg/signature/kms/aws v1.9.5 h1:qp2VFyKuFQvTGmZwk5Q7m5nE4NwnF9tHwkyz0gtWAck=
 github.com/sigstore/sigstore/pkg/signature/kms/aws v1.9.5/go.mod h1:DKlQjjr+GsWljEYPycI0Sf8URLCk4EbGA9qYjF47j4g=
 github.com/sigstore/sigstore/pkg/signature/kms/azure v1.9.5 h1:CRZcdYn5AOptStsLRAAACudAVmb1qUbhMlzrvm7ju3o=
@@ -1681,8 +1681,8 @@ golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91
 golang.org/x/mod v0.7.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/mod v0.9.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
-golang.org/x/mod v0.26.0 h1:EGMPT//Ezu+ylkCijjPc+f4Aih7sZvaAr+O3EHBxvZg=
-golang.org/x/mod v0.26.0/go.mod h1:/j6NAhSk8iQ723BGAUyoAcn7SlD7s15Dp9Nd/SfeaFQ=
+golang.org/x/mod v0.27.0 h1:kb+q2PyFnEADO2IEF935ehFUXlWiNjJWtRNgBLSfbxQ=
+golang.org/x/mod v0.27.0/go.mod h1:rWI627Fq0DEoudcK+MBkNkCe0EetEaDSwJJkCcjpazc=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=

pkg/cosign/verify.go

@@ -248,17 +248,28 @@ func (co *CheckOpts) verificationOptions() (trustedMaterial root.TrustedMaterial
 
 	if !co.IgnoreTlog {
 		verifierOptions = append(verifierOptions, verify.WithTransparencyLog(1))
-		// If you aren't using a signed timestamp, use the time from the transparency log.
+		// If you aren't using a signed timestamp, use the time from the transparency log
+		// to verify Fulcio certificates, or require no timestamp to verify a key.
 		// For Rekor v2, a signed timestamp must be provided.
 		if !co.UseSignedTimestamps {
-			verifierOptions = append(verifierOptions, verify.WithIntegratedTimestamps(1))
+			if co.SigVerifier == nil {
+				verifierOptions = append(verifierOptions, verify.WithIntegratedTimestamps(1))
+			} else {
+				verifierOptions = append(verifierOptions, verify.WithNoObserverTimestamps())
+			}
 		}
 	}
 	if co.UseSignedTimestamps {
 		verifierOptions = append(verifierOptions, verify.WithSignedTimestamps(1))
 	}
+	// A time verification policy must be provided. Without a signed timestamp or integrated timestamp,
+	// verify a certificate with the current time, or require no timestamp to verify a key.
 	if co.IgnoreTlog && !co.UseSignedTimestamps {
-		verifierOptions = append(verifierOptions, verify.WithCurrentTime())
+		if co.SigVerifier == nil {
+			verifierOptions = append(verifierOptions, verify.WithCurrentTime())
+		} else {
+			verifierOptions = append(verifierOptions, verify.WithNoObserverTimestamps())
+		}
 	}
 
 	return vTrustedMaterial, verifierOptions, policyOptions, nil

test/e2e_test.go

@@ -1008,10 +1008,34 @@ func TestSignVerifyBundle(t *testing.T) {
 		NewBundleFormat:     true,
 		UseSignedTimestamps: false,
 	}
-
 	args := []string{imgName}
 	must(cmd.Exec(ctx, args), t)
 
+	// Sign image with key in bundle format without Rekor
+	_, privKeyPath, pubKeyPath = keypair(t, td)
+	ko = options.KeyOpts{
+		KeyRef:           privKeyPath,
+		PassFunc:         passFunc,
+		SkipConfirmation: true,
+	}
+	so = options.SignOptions{
+		Upload:          true,
+		NewBundleFormat: true,
+		TlogUpload:      false,
+	}
+	must(sign.SignCmd(ro, ko, so, []string{imgName}), t)
+	// Verify bundle without Rekor
+	cmd = cliverify.VerifyCommand{
+		CommonVerifyOptions: options.CommonVerifyOptions{
+			TrustedRootPath: trustedRootPath,
+		},
+		KeyRef:              pubKeyPath,
+		NewBundleFormat:     true,
+		IgnoreTlog:          true,
+		UseSignedTimestamps: false,
+	}
+	must(cmd.Exec(ctx, args), t)
+
 	// Sign image with Fulcio
 	identityToken, err := getOIDCToken()
 	if err != nil {
@@ -1043,7 +1067,6 @@ func TestSignVerifyBundle(t *testing.T) {
 		NewBundleFormat:     true,
 		UseSignedTimestamps: false,
 	}
-
 	must(cmd.Exec(ctx, args), t)
 }