Merge pull request 'feature: validate commits in reverse date-time order when MAX_COMMITS_TO_CHECK is used' (#12 ) from date-order into main

Reviewed-on: #12 Reviewed-by: Artur Neumann <artur@jankaritech.eu>
feature: validate commits in reverse date-time order when MAX_COMMITS_TO_CHECK is used
2025-06-04 03:16:25 +00:00 · 2025-06-03 17:21:42 +05:45 · 2025-06-02 11:40:09 +00:00 · 2025-06-02 15:32:48 +05:45 · 2025-06-02 14:32:23 +05:45 · 2025-06-02 04:10:47 +00:00
5 changed files with 2255 additions and 2278 deletions
--- a/.gitea/workflows/validate.yaml
+++ b/.gitea/workflows/validate.yaml
@@ -1,14 +1,3 @@
-location / {
-    proxy_pass        http://localhost:5232/;
-    proxy_set_header  X-Script-Name /radicale;
-    proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
-    proxy_set_header  X-Forwarded-Host $host;
-    proxy_set_header  X-Forwarded-Port $server_port;
-    proxy_set_header  X-Forwarded-Proto $scheme;
-    proxy_set_header  Host $http_host;
-    proxy_pass_header Authorization;
-}
-
 name: Validate Trusted Timestamps Actions Demo
 run-name: ${{ gitea.actor }} is validating the trusted timestamps of all commits 🚀
 on: [push]
--- a/.timestampltv/crls/5024EC0B994B2230F00A0F90A60D1D281D1B3FBE.crl
+++ b/.timestampltv/crls/5024EC0B994B2230F00A0F90A60D1D281D1B3FBE.crl
--- a/.timestampltv/crls/E1D782A8E191BEEF6BCA1691B5AAB494A6249BF3.crl
+++ b/.timestampltv/crls/E1D782A8E191BEEF6BCA1691B5AAB494A6249BF3.crl
@@ -2,17 +2,17 @@
 MIIC5jCCAc4CAQEwDQYJKoZIhvcNAQELBQAwcjELMAkGA1UEBhMCVVMxFTATBgNV
 BAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3LmRpZ2ljZXJ0LmNvbTExMC8G
 A1UEAxMoRGlnaUNlcnQgU0hBMiBBc3N1cmVkIElEIFRpbWVzdGFtcGluZyBDQRcN
-MjUwMTI0MDUxNDI4WhcNMjUwMTMxMDUxNDI4WjCB9TAhAhAL2v0LKRQzmpYSZqw1
+MjUwMjEyMDUyMjQ1WhcNMjUwMjE5MDUyMjQ1WjCB9TAhAhAL2v0LKRQzmpYSZqw1
 OkdEFw0xNjEwMjQxNzQyNDlaMCECEAH40oMtKRkZcbNQw9u8pQAXDTE2MTExMTE1
 MjEzNFowIQIQClKwbEb16yWgi9U/3Ht4hhcNMTgwOTAzMTIxMTQyWjAhAhAFlx7K
 SlmJinvPTLfjd5doFw0xOTA5MzAwODE2MjRaMCECEAxFkEkmQLBOlEh/jEwCeJAX
 DTIxMDIwOTIyMzk0MlowIQIQBMvnUVSd49EL7YN0yV7iRBcNMjEwMjA5MjMyMzM3
 WjAhAhALmUrhw5aLANVesgZ0jpseFw0yMTAyMDkyMzI0MjNaoDAwLjAfBgNVHSME
-GDAWgBT0tuEgHf4prtLkYaWyoiWyyBc1bjALBgNVHRQEBAICDNwwDQYJKoZIhvcN
-AQELBQADggEBAGuGW4lrI1pz4IwilL1u3rFRWD43/2Cu0+Pc1+tRx+QqB42aB0Jl
-esdIRc7t7bZ+5wmJyl5DTToQ3Vm7v34dXlblmmlJ2IM+1BKNEO4jMg82i4CFHtaE
-1e2lTfCOKR7YiTmUv/E44jAeQNJbt3k/6gnpDTGafJTIybYNh3uVDtC8Iiun4DKH
-x1qe0qzuixF2TDdTRgPP293nShxNJP5G9G5JaOGSreVOItwEhI+GP6rrPffcanfJ
-v7ghEutuJCE2BGZkqL5iEGgAbMYhFitCu58rfwCHF78uz8T/kxbe5Ax2Zu1IV3is
-kuc5vOHsT/GFYnMC4PZn9J9eYKLE6mzr0SY=
+GDAWgBT0tuEgHf4prtLkYaWyoiWyyBc1bjALBgNVHRQEBAICDO8wDQYJKoZIhvcN
+AQELBQADggEBALr4VopJYkMfQ97HiyqytcWRY/vgyU/LxOwlH0/1DBSeeObQB0Nj
+uF7vcF2bhbpnxba7gvzOPryudwtbqquf2cl3CJG6MC2D8Nk1XzntDnpxCjVSfsAr
+158zAWPevyiuj3yzFz04mYALt/ZmOJMTF0vyKN8cg5bwfLu3itV6b6vhpuloIhRc
+Hmsbgr3BtCVHkf4vJWq/qKDEMcOhSrJ6wxGCzVyphenewSIbVcogj19cRZDFPWOC
+3sAy/GY3Rz0qK30tDvNbE1uum8gy5ijXFmepJ/lEetRCvrIsxTsXJOj0tqVZfIIQ
+E1YWUZ57TiBBrdS+dTgmRxkN/zaAfYVAIck=
 -----END X509 CRL-----
--- a/hooks/timestamping
+++ b/hooks/timestamping
@@ -553,7 +553,7 @@ download_crls_for_chain() {
      local URL=$(openssl x509 -inform PEM -in $EXTRACTED_CERT -text -noout \
                  | awk '/CRL Distribution Points:/{f=1} f && /URI:/ {print; exit}' \
                  | sed 's/^.*URI://1')
-      if curl "$URL" --output "$CRL_TMP" &> "$OUT_STREAM"; then
+      if curl -L "$URL" --output "$CRL_TMP" &> "$OUT_STREAM"; then
        if openssl crl -in "$CRL_TMP" -inform DER -noout &> "$OUT_STREAM"; then
          openssl crl -in "$CRL_TMP" -inform DER >> "$OUTPUT_FILE"
        elif openssl crl -in "$CRL_TMP" -inform PEM -noout &> "$OUT_STREAM"; then
--- a/hooks/validate.sh
+++ b/hooks/validate.sh
@@ -42,6 +42,10 @@ if [[ ! -d "$DIR" ]]; then DIR="$PWD"; fi
 . "$DIR/timestamping"

 declare -i MINVERSION=$TIMESTAMPING_VERSION
+declare -i MAX_COMMITS_TO_CHECK=0
+declare -A PROCESSED_COMMIT
+declare -A COMMITS
+declare -A COMMIT_TIMES

 while [[ $# -gt 0 ]]; do
  KEY="$1"
@@ -61,6 +65,16 @@ while [[ $# -gt 0 ]]; do
      shift # past argument
      shift # past value
      ;;
+    -max|--maxcommits)
+      INTEGER_REGEX='^[0-9]+$'
+      if ! [[ "$2" =~ $INTEGER_REGEX ]]; then
+        echo_error "$KEY: expected positive integer"
+        exit 1
+      fi
+      MAX_COMMITS_TO_CHECK="$2"
+      shift # past argument
+      shift # past value
+      ;;
    -v|--verbose)
      OUT_STREAM=/dev/stdout
      shift # past argument
@@ -89,6 +103,10 @@ fi
 # tokens, the function will return 0 but echo a warning about the invalid token.
 validate_commit() {
  local COMMIT_HASH="$1"
+  if [[ ${PROCESSED_COMMIT[$COMMIT_HASH]} ]]; then
+    log "validate_commit for $COMMIT_HASH has already been validated"
+    return 0
+  fi
  log "validate_commit for $COMMIT_HASH"

  local TIMESTAMP_COMMIT_VERSION
@@ -275,9 +293,11 @@ validate_commit() {
  #assert that all extracted timestamps have been processed
  assert "[ $NUM_PROCESSED -eq $NUM_EXTRACTED ]" "All extracted token must be processed."

+  PROCESSED_COMMIT[$COMMIT_HASH]=1
+
  if [ $NUM_VALID -gt 0 ]; then
    if [ $NUM_INVALID -gt 0 ]; then
-      echo_warning "Warning: While commit $COMMIT_HASH contains $NUM_VALID valid timestamp tokens and thus is considered proppely timestamped, it also contains $NUM_INVALID invalid timestamp tokens."
+      echo_warning "Warning: While commit $COMMIT_HASH contains $NUM_VALID valid timestamp tokens and thus is considered properly timestamped, it also contains $NUM_INVALID invalid timestamp tokens."
    fi
    DATE_STRING=$(date -d @"$EARLIEST_VALID_UNIX_TIME")
    echo_info "Commit $COMMIT_HASH, which timestamps commit $PARENT_HASH at $DATE_STRING, contains $NUM_VALID valid timestamp tokens."
@@ -293,6 +313,13 @@ validate_commit() {
 # param1: commit hash
 # returns: 0 if the validation of the commit and all its ancestors succeeded
 validate_commit_and_parents() {
+  # If MAX_COMMITS_TO_CHECK is zero (or a negative number) then that is understood as "infinity".
+  # So finish if we have reached the limit, and if the limit is not "infinity".
+  NUM_COMMITS_CHECKED=${#PROCESSED_COMMIT[@]}
+  if [[ ${NUM_COMMITS_CHECKED} -ge ${MAX_COMMITS_TO_CHECK} ]] && [[ ${MAX_COMMITS_TO_CHECK} -ge 1 ]]; then
+    # enough commits have already been checked, so return early
+    return 0;
+  fi
  local COMMIT_HASH="$1"
  log "validate_commit_and_parents for $COMMIT_HASH"

@@ -300,6 +327,7 @@ validate_commit_and_parents() {
  if ! validate_commit "$COMMIT_HASH"; then
    ALL_PASSED=false
  fi
+  NUM_COMMITS_CHECKED=${#PROCESSED_COMMIT[@]}
  local PARENTS=$(git cat-file -p "$COMMIT_HASH" | awk '/^$/{exit} /parent/ {print}' | sed 's/parent //')
  #iterate over all parents of commit
  if [ ! -z "$PARENTS" ]; then
@@ -315,6 +343,64 @@ validate_commit_and_parents() {
  return 1
 }

+# Recursive function to find all ancestors of commit
+# param1: commit hash
+# creates an array COMMITS, key is the commit hash, value is the commit time (Unix epoch seconds)
+# the array contains all commits found in all paths from the passed-in commit hash back to the root commit of the repo
+# the array is global so it can be accessed after the function returns
+find_all_commits() {
+  local COMMIT_HASH="$1"
+  log "find_all_commits for $COMMIT_HASH"
+  # git show "ct" format returns the commit time as Unix epoch seconds
+  COMMIT_TIME=$(git show --no-patch --format=%ct "$COMMIT_HASH")
+  COMMITS[$COMMIT_HASH]="${COMMIT_TIME}"
+
+  local PARENTS=$(git cat-file -p "$COMMIT_HASH" | awk '/^$/{exit} /parent/ {print}' | sed 's/parent //')
+  # iterate over all parents of commit
+  if [ ! -z "$PARENTS" ]; then
+    while read PARENT_HASH; do
+      if [[ ${COMMITS[$PARENT_HASH]} ]]; then
+        log "commit $PARENT_HASH has already been processed"
+      else
+        find_all_commits "$PARENT_HASH"
+      fi
+    done <<< $(printf "%s" "$PARENTS")
+  fi
+}
+
+# Validate the commits in the COMMITS array, up to MAX_COMMITS_TO_CHECK
+# returns: 0 if the validation of the commits succeeded
+validate_commits() {
+  ALL_PASSED=true
+  # create an associative array with keys using the Unix epoch commit time and value the commit hash
+  # this array can be easily used to sort in (forward or reverse) order of time
+  for HASH in "${!COMMITS[@]}"; do
+    UNIX_EPOCH_TIME="${COMMITS[$HASH]}"
+    # two commits could have the exact same Unix epoch in seconds
+    # so make that unique by appending an "x" and the hash
+    UNIQUE_KEY="${UNIX_EPOCH_TIME}x${HASH}"
+    COMMIT_TIMES[$UNIQUE_KEY]="${HASH}"
+  done
+  # sort into reverse order
+  SORTED_KEYS=($(printf "%s\n" "${!COMMIT_TIMES[@]}" | sort -r))
+  # process the commits from latest time to oldest time
+  ALL_PASSED=true
+  for ENTRY in "${SORTED_KEYS[@]}"; do
+    COMMIT_HASH=${COMMIT_TIMES[${ENTRY}]}
+    log "${ENTRY} has value ${COMMIT_HASH}"
+    NUM_COMMITS_CHECKED=${#PROCESSED_COMMIT[@]}
+    if [[ ${NUM_COMMITS_CHECKED} -lt ${MAX_COMMITS_TO_CHECK} ]]; then
+      if ! validate_commit "$COMMIT_HASH"; then
+        ALL_PASSED=false
+      fi
+    fi
+  done
+  if [ "$ALL_PASSED" = true ]; then
+    return 0
+  fi
+  return 1
+}
+
 echo_info "Checking repository integrity..."
 #check git repository integrity
 if ! git fsck --full --strict --no-progress --no-dangling "$COMMIT_HASH"; then
@@ -326,10 +412,21 @@ echo ""

 echo_info "Validating timestamps. This may take a while..."
 echo ""
-if validate_commit_and_parents "$COMMIT_HASH"; then
-  echo_success "Validation OK: All timestamped commits in the commit history of $COMMIT_HASH contain at least one valid timestamp."
-  exit 0
+if [[ ${MAX_COMMITS_TO_CHECK} -ge 1 ]]; then
+  find_all_commits "$COMMIT_HASH"
+  if validate_commits; then
+    echo_success "Validation OK: ${NUM_COMMITS_CHECKED} timestamped commits in the commit history of $COMMIT_HASH contain at least one valid timestamp."
+    exit 0
+  else
+    echo_error "Validation Failed: There are timestamped commits in the commit history of $COMMIT_HASH which do not contain any valid timestamps."
+    exit 1
+  fi
 else
-  echo_error "Validation Failed: There are timestamped commits in the commit history of $COMMIT_HASH which do not contain any valid timestamps."
-  exit 1
+  if validate_commit_and_parents "$COMMIT_HASH"; then
+    echo_success "Validation OK: All timestamped commits in the commit history of $COMMIT_HASH contain at least one valid timestamp."
+    exit 0
+  else
+    echo_error "Validation Failed: There are timestamped commits in the commit history of $COMMIT_HASH which do not contain any valid timestamps."
+    exit 1
+  fi
 fi
Author	SHA1	Message	Date
Artur Neumann	093d283977	Merge pull request 'feature: validate commits in reverse date-time order when MAX_COMMITS_TO_CHECK is used' (#12 ) from date-order into main All checks were successful Validate Trusted Timestamps Actions Demo / Validate (push) Successful in 54m17s Details Reviewed-on: #12 Reviewed-by: Artur Neumann <artur@jankaritech.eu>	2025-06-04 03:16:25 +00:00
Phil Davis	d48097695b	feature: validate commits in reverse date-time order when MAX_COMMITS_TO_CHECK is used All checks were successful Validate Trusted Timestamps Actions Demo / Validate (push) Successful in 28m9s Details This ensures that the most recent commits are the ones that are validated.	2025-06-03 17:21:42 +05:45
phil	1622c1244f	Merge pull request 'fix: stop correctly when MAX_COMMITS_TO_CHECK is reached' (#10 ) from respect-MAX_COMMITS_TO_CHECK into main All checks were successful Validate Trusted Timestamps Actions Demo / Validate (push) Successful in 22m53s Details Reviewed-on: #10 Reviewed-by: Artur Neumann <artur@jankaritech.eu>	2025-06-02 11:40:09 +00:00
Phil Davis	f712aa0822	chore: adjust comment about MAX_COMMITS_TO_CHECK All checks were successful Validate Trusted Timestamps Actions Demo / Validate (push) Successful in 14m39s Details	2025-06-02 15:32:48 +05:45
Phil Davis	8aba6e98d1	fix: stop correctly when MAX_COMMITS_TO_CHECK is reached All checks were successful Validate Trusted Timestamps Actions Demo / Validate (push) Successful in 11m40s Details	2025-06-02 14:32:23 +05:45
phil	31e44f9b70	Merge pull request 'feature: limit the number of commits to be validated' (#9 ) from limit-num-commits-validated into main All checks were successful Validate Trusted Timestamps Actions Demo / Validate (push) Successful in 14m5s Details Reviewed-on: #9 Reviewed-by: Artur Neumann <artur@jankaritech.eu>	2025-06-02 04:10:47 +00:00
Phil Davis	4437b66f67	feature: default to checking all commits All checks were successful Validate Trusted Timestamps Actions Demo / Validate (push) Successful in 13m47s Details	2025-05-29 09:55:57 +05:45
Phil Davis	aabd314dde	feature: limit the number of commits to be validated All checks were successful Validate Trusted Timestamps Actions Demo / Validate (push) Successful in 49s Details Signed-off-by: Phil Davis <phil@jankaritech.com>	2025-05-28 10:56:06 +05:45
Artur Neumann	ac5e6a6a89	Merge pull request 'only validate each commit once' (#7 ) from validate-each-commit-once-only into main All checks were successful Validate Trusted Timestamps Actions Demo / Validate (push) Successful in 2m59s Details Reviewed-on: #7 Reviewed-by: Artur Neumann <artur@jankaritech.eu>	2025-03-19 03:55:52 +00:00
Phil Davis	2976a241af	only validate each commit once All checks were successful Validate Trusted Timestamps Actions Demo / Validate (push) Successful in 2m8s Details	2025-03-18 13:47:27 +05:45
Artur Neumann	0d1494003c	Merge pull request 'follow redirects when downloading certificates' (#6 ) from follow into main All checks were successful Validate Trusted Timestamps Actions Demo / Validate (push) Successful in 25m42s Details Reviewed-on: #6 Reviewed-by: phil <phil@jankaritech.eu>	2025-02-17 03:37:10 +00:00
Artur Neumann	06b6d255e8	-----TIMESTAMP COMMIT----- All checks were successful Validate Trusted Timestamps Actions Demo / Validate (push) Successful in 13m36s Details Version: 1 Algorithm: sha1 Preimage: version:1,parent:d5c7b22b53192ffed685f3b8362ff8e8076c290c,tree:86b28882e4cf79c90690ac82831ddf06a10e55ad Digest: 0050ab353bfbdc4f0faf1d555d19787eaf6a6913 Timestamp: https://freetsa.org/tsr Info: Timestamp generated with GitTrustedTimestamps by Mabulous GmbH Version: 1 Policy OID: tsa_policy1 Hash Algorithm: sha1 Message data: 0000 - 00 50 ab 35 3b fb dc 4f-0f af 1d 55 5d 19 78 7e .P.5;..O...U].x~ 0010 - af 6a 69 13 .ji. Serial number: 0x05806698 Time stamp: Feb 13 06:24:31 2025 GMT Accuracy: unspecified Ordering: yes Nonce: 0x9BFC14C8020EB66B TSA: DirName:/O=Free TSA/OU=TSA/description=This certificate digitally signs documents and time stamp requests made using the freetsa.org online services/CN=www.freetsa.org/emailAddress=busilezas@gmail.com/L=Wuerzburg/C=DE/ST=Bayern Extensions: -----BEGIN RFC3161 TOKEN----- MIIFOAYJKoZIhvcNAQcCoIIFKTCCBSUCAQMxDzANBglghkgBZQMEAgMFADCCAX8G CyqGSIb3DQEJEAEEoIIBbgSCAWowggFmAgEBBgQqAwQBMCEwCQYFKw4DAhoFAAQU AFCrNTv73E8Prx1VXRl4fq9qaRMCBAWAZpgYDzIwMjUwMjEzMDYyNDMxWgEB/wIJ AJv8FMgCDrZroIIBEaSCAQ0wggEJMREwDwYDVQQKEwhGcmVlIFRTQTEMMAoGA1UE CxMDVFNBMXYwdAYDVQQNE21UaGlzIGNlcnRpZmljYXRlIGRpZ2l0YWxseSBzaWdu cyBkb2N1bWVudHMgYW5kIHRpbWUgc3RhbXAgcmVxdWVzdHMgbWFkZSB1c2luZyB0 aGUgZnJlZXRzYS5vcmcgb25saW5lIHNlcnZpY2VzMRgwFgYDVQQDEw93d3cuZnJl ZXRzYS5vcmcxIjAgBgkqhkiG9w0BCQEWE2J1c2lsZXphc0BnbWFpbC5jb20xEjAQ BgNVBAcTCVd1ZXJ6YnVyZzELMAkGA1UEBhMCREUxDzANBgNVBAgTBkJheWVybjGC A4owggOGAgEBMIGjMIGVMREwDwYDVQQKEwhGcmVlIFRTQTEQMA4GA1UECxMHUm9v dCBDQTEYMBYGA1UEAxMPd3d3LmZyZWV0c2Eub3JnMSIwIAYJKoZIhvcNAQkBFhNi dXNpbGV6YXNAZ21haWwuY29tMRIwEAYDVQQHEwlXdWVyemJ1cmcxDzANBgNVBAgT BkJheWVybjELMAkGA1UEBhMCREUCCQDB6YYWDajpgjANBglghkgBZQMEAgMFAKCB uDAaBgkqhkiG9w0BCQMxDQYLKoZIhvcNAQkQAQQwHAYJKoZIhvcNAQkFMQ8XDTI1 MDIxMzA2MjQzMVowKwYLKoZIhvcNAQkQAgwxHDAaMBgwFgQUkW2j2GDsyoLjS8Wd F5Pn6WiHXxQwTwYJKoZIhvcNAQkEMUIEQB52HUI0c2GSPHMEZ06bBC1B3c44YNNd ZAX5WaBuXq67HV+nlNcnY2HUtBEfDt0gjx9g8mXfVCB/hVpC+EN2bf8wDQYJKoZI hvcNAQEBBQAEggIAg3ZRGvOLTqX6ulk4dwjYRcj+nKK8hh2vyohA8OMq/+4VgYG+ Ujgqe29V4APXQ3SsCtotSufOqWifSvzzn/olaUYOn9d8aP24JiDcmNf6oFUnZHEJ TfbQ0SUDeAYNodNMVxjG3IrVu0TYqjTLPmjYxvjeipnshUvfNDFzW87QILYT/ChB GNAv8p91z41/D+vMjtOUoSsyWDMUhrbxRWqsxHTDiBqAmWeGPVONxFpZDaRJpHlR pqkY/Cgs2JONw+o3AKCiSm9Hleue3liHxR0N6wixuZUl1eYge/19VluxeMLNS2IP Lx7vELITLpGsmtSCUKAhWgRd77xUrrfpQif1dIiZvHOIXF702swKuvsQ8jcXheQn 1jBSLuiZbjLzpMGp59pN43ObhUeYwGmbgqlQaceP6C73iQogBU3N9uY5J3hwdYbx SgZUhyApjUIvhVKmSm9UU56dOYCxmb0innyxdDsWc3hdeDXAdIibPx+B6AcDlysr 8QyEKgWogfEq+/NrFsc6xe+Jn6Td+p3+5izS6CgsHHA8S2nXfmQFNzMi2hnWVL5L f4zH0xoR+vD5vcQxo1K/FHh+6F6OxvAsjS2/KmmUjvj6yypVNqZGjTTvusGS9xKG r3jF1qbwWdKwhD0+LrdEia3TA5R+0eXc79aEeeoRrBGmY1O589cCYRJDPzE= -----END RFC3161 TOKEN----- Timestamp: https://tsa.cesnet.cz:3162/tsa Info: Timestamp generated with GitTrustedTimestamps by Mabulous GmbH Version: 1 Policy OID: 1.3.6.1.4.1.22408.1.2.3.45 Hash Algorithm: sha1 Message data: 0000 - 00 50 ab 35 3b fb dc 4f-0f af 1d 55 5d 19 78 7e .P.5;..O...U].x~ 0010 - af 6a 69 13 .ji. Serial number: 0x72F09E96316D97FF Time stamp: Feb 13 06:24:32 2025 GMT Accuracy: unspecified Ordering: no Nonce: 0xE050DA61DF1B13B1 TSA: DirName:/DC=cz/DC=cesnet-ca/O=CESNET/CN=tsa.cesnet.cz Extensions: -----BEGIN RFC3161 TOKEN----- MIID1QYJKoZIhvcNAQcCoIIDxjCCA8ICAQMxDzANBglghkgBZQMEAgEFADCBzgYL KoZIhvcNAQkQAQSggb4EgbswgbgCAQEGDCsGAQQBga8IAQIDLTAhMAkGBSsOAwIa BQAEFABQqzU7+9xPD68dVV0ZeH6vamkTAghy8J6WMW2X/xgPMjAyNTAyMTMwNjI0 MzJaAgkA4FDaYd8bE7GgXKRaMFgxEjAQBgoJkiaJk/IsZAEZFgJjejEZMBcGCgmS JomT8ixkARkWCWNlc25ldC1jYTEPMA0GA1UECgwGQ0VTTkVUMRYwFAYDVQQDDA10 c2EuY2VzbmV0LmN6MYIC2TCCAtUCAQEwbDBgMRIwEAYKCZImiZPyLGQBGRYCY3ox GTAXBgoJkiaJk/IsZAEZFgljZXNuZXQtY2ExEjAQBgNVBAoMCUNFU05FVCBDQTEb MBkGA1UEAwwSUGVyc29uYWwgU2lnbmluZyAyAghq94ZoOsDXcDANBglghkgBZQME AgEFAKCCAT4wGgYJKoZIhvcNAQkDMQ0GCyqGSIb3DQEJEAEEMBwGCSqGSIb3DQEJ BTEPFw0yNTAyMTMwNjI0MzJaMC0GCSqGSIb3DQEJNDEgMB4wDQYJYIZIAWUDBAIB BQChDQYJKoZIhvcNAQELBQAwLwYJKoZIhvcNAQkEMSIEIBOM1Xd1ny1/Cn2qwXnV uTCuRE5ISmPDMJ66d0bTQKmzMIGhBgsqhkiG9w0BCRACDDGBkTCBjjCBizCBiAQU UCTsC5lLIjDwCg+Qpg0dKB0bP74wcDBkpGIwYDESMBAGCgmSJomT8ixkARkWAmN6 MRkwFwYKCZImiZPyLGQBGRYJY2VzbmV0LWNhMRIwEAYDVQQKDAlDRVNORVQgQ0Ex GzAZBgNVBAMMElBlcnNvbmFsIFNpZ25pbmcgMgIIaveGaDrA13AwDQYJKoZIhvcN AQELBQAEggEArnIdS1TSpOveavo2Y83DKcRVh73cD5uykpY6R0OFFxY/NprrYnT/ AHl+skRF0k5zcsVCbhH/BoWujj4Y+Oz5fSk29P/etC5kxTz9gMfmgSbKvV04vGjY n99Pb+ubx2xUFFQ4QeG43Esja4E37kt1H9VWuYBy+kNnExhQOW0/SwZXHJ3RV2N6 bvIHeTjXYopgAdUn9Nvr70FS9QYgr/D/gIrx6YEOoWcra8fA/ze2s6kIeO2KgTMO 7yt51tcjOtKvn/0amvHAazS4fnSDKoPWdQB33ZQQBcAI+luVGCpMYo5dHRQirOef VGE4bjPCkyXj9vuyQslf+yMw4VJ0Ur9yUw== -----END RFC3161 TOKEN-----	2025-02-13 12:09:32 +05:45
Artur Neumann	d5c7b22b53	follow redirects when downloading certificate	2025-02-13 12:09:11 +05:45
Artur Neumann	0e07bab508	Merge pull request 'automatically validate all timestamps in CI' (#5 ) from validate-timestamps-in-ci into main All checks were successful Validate Trusted Timestamps Actions Demo / Validate (push) Successful in 13m35s Details Reviewed-on: #5 Reviewed-by: phil <phil@jankaritech.eu>	2025-01-31 05:52:10 +00:00
Artur Neumann	b1a1cdd088	-----TIMESTAMP COMMIT----- All checks were successful Validate Trusted Timestamps Actions Demo / Validate (push) Successful in 7m30s Details Version: 1 Algorithm: sha1 Preimage: version:1,parent:e1d1c5e26ee291018cd217af3f734066af67e1c2,tree:6bb692a51b515326489d4f5cda9f6de455bf71bb Digest: a45bc2719ce0c445cf7aaec3549ae8e8297c45a3 Timestamp: https://freetsa.org/tsr Info: Timestamp generated with GitTrustedTimestamps by Mabulous GmbH Version: 1 Policy OID: tsa_policy1 Hash Algorithm: sha1 Message data: 0000 - a4 5b c2 71 9c e0 c4 45-cf 7a ae c3 54 9a e8 e8 .[.q...E.z..T... 0010 - 29 7c 45 a3 )\|E. Serial number: 0x0527B7D9 Time stamp: Jan 24 10:27:32 2025 GMT Accuracy: unspecified Ordering: yes Nonce: 0x301EF3AF455AF2B2 TSA: DirName:/O=Free TSA/OU=TSA/description=This certificate digitally signs documents and time stamp requests made using the freetsa.org online services/CN=www.freetsa.org/emailAddress=busilezas@gmail.com/L=Wuerzburg/C=DE/ST=Bayern Extensions: -----BEGIN RFC3161 TOKEN----- MIIFNwYJKoZIhvcNAQcCoIIFKDCCBSQCAQMxDzANBglghkgBZQMEAgMFADCCAX4G CyqGSIb3DQEJEAEEoIIBbQSCAWkwggFlAgEBBgQqAwQBMCEwCQYFKw4DAhoFAAQU pFvCcZzgxEXPeq7DVJro6Cl8RaMCBAUnt9kYDzIwMjUwMTI0MTAyNzMyWgEB/wII MB7zr0Va8rKgggERpIIBDTCCAQkxETAPBgNVBAoTCEZyZWUgVFNBMQwwCgYDVQQL EwNUU0ExdjB0BgNVBA0TbVRoaXMgY2VydGlmaWNhdGUgZGlnaXRhbGx5IHNpZ25z IGRvY3VtZW50cyBhbmQgdGltZSBzdGFtcCByZXF1ZXN0cyBtYWRlIHVzaW5nIHRo ZSBmcmVldHNhLm9yZyBvbmxpbmUgc2VydmljZXMxGDAWBgNVBAMTD3d3dy5mcmVl dHNhLm9yZzEiMCAGCSqGSIb3DQEJARYTYnVzaWxlemFzQGdtYWlsLmNvbTESMBAG A1UEBxMJV3VlcnpidXJnMQswCQYDVQQGEwJERTEPMA0GA1UECBMGQmF5ZXJuMYID ijCCA4YCAQEwgaMwgZUxETAPBgNVBAoTCEZyZWUgVFNBMRAwDgYDVQQLEwdSb290 IENBMRgwFgYDVQQDEw93d3cuZnJlZXRzYS5vcmcxIjAgBgkqhkiG9w0BCQEWE2J1 c2lsZXphc0BnbWFpbC5jb20xEjAQBgNVBAcTCVd1ZXJ6YnVyZzEPMA0GA1UECBMG QmF5ZXJuMQswCQYDVQQGEwJERQIJAMHphhYNqOmCMA0GCWCGSAFlAwQCAwUAoIG4 MBoGCSqGSIb3DQEJAzENBgsqhkiG9w0BCRABBDAcBgkqhkiG9w0BCQUxDxcNMjUw MTI0MTAyNzMyWjArBgsqhkiG9w0BCRACDDEcMBowGDAWBBSRbaPYYOzKguNLxZ0X k+fpaIdfFDBPBgkqhkiG9w0BCQQxQgRAOhGsL1oQELPv80v31i69i6cmzAjZZQHN HJa/S4qmj6B6+larLZDPHJpIBcuBn1yXxEUylN6O5wjBy4Bt1OfVOzANBgkqhkiG 9w0BAQEFAASCAgA22duKRnJngnpVAjqex7dIDOleDMlwL97U5BaYrCHKJfUEwIH8 M3Q2HmiYEIFBXwnifxQxY4zZXJIAx7VIhwW82Yyt9c5SlPAWRKTZ8tllJQy0gUiL fFcn+tj0iKJEcBTHM5rxRlIJkP2S0nu0FPC3/lUsx0MLSL7gA11h2lsQhPMdehHx yp5JMuSg/+fiqfmwwSFBd9LPlxmwcyBu/6sBKSoPBnL9DJiKl9GZYKrxoUiGJF9s 6N+wkbp5qgusAnsEOnb8rd1+BYn74wyXtY+8z3nmO/qTV6DJWFe94NMYRvilGf3F 9hqpXAVF0LCrUWbwNpWsUlE/+V5OiDgs4mRWLNFIXvcHySOkPmM1y7xDvUUIcvsw uwDUwPmwpAHSTXgakcfkhLdxev6H4yPUO0LjzGfL5U7Rwzjt/SygJRgZhLO3cDI0 94sbBMiNUbnjSOCTW9AJ4FAHJchzDWjHo6EHPq/VZBm5dhlc6nLLjb4glL7nTQ6B j1ceJhZ/1P4n9Ht7tXHNjysKd5kRkstMecsC8XkeTHyzcCpH4MnnkDlY0yY8imAp Bvk5M0kpeE0CX1X15TRNHCKoLhuBHGj6CS2CaPwhsSzR5Iemt0eIIiIUNNWAQ97z vRZ+wF7EefGsf3MNyl5UqaTdWyBReNbllSTasN4zlo1NJBv6k7xNI8QfdQ== -----END RFC3161 TOKEN----- Timestamp: https://tsa.cesnet.cz:3162/tsa Info: Timestamp generated with GitTrustedTimestamps by Mabulous GmbH Version: 1 Policy OID: 1.3.6.1.4.1.22408.1.2.3.45 Hash Algorithm: sha1 Message data: 0000 - a4 5b c2 71 9c e0 c4 45-cf 7a ae c3 54 9a e8 e8 .[.q...E.z..T... 0010 - 29 7c 45 a3 )\|E. Serial number: 0x27AA2B6CB2AEA0CE Time stamp: Jan 24 10:27:33 2025 GMT Accuracy: unspecified Ordering: no Nonce: 0xEB2CD76043666DEA TSA: DirName:/DC=cz/DC=cesnet-ca/O=CESNET/CN=tsa.cesnet.cz Extensions: -----BEGIN RFC3161 TOKEN----- MIID1QYJKoZIhvcNAQcCoIIDxjCCA8ICAQMxDzANBglghkgBZQMEAgEFADCBzgYL KoZIhvcNAQkQAQSggb4EgbswgbgCAQEGDCsGAQQBga8IAQIDLTAhMAkGBSsOAwIa BQAEFKRbwnGc4MRFz3quw1Sa6OgpfEWjAggnqitssq6gzhgPMjAyNTAxMjQxMDI3 MzNaAgkA6yzXYENmbeqgXKRaMFgxEjAQBgoJkiaJk/IsZAEZFgJjejEZMBcGCgmS JomT8ixkARkWCWNlc25ldC1jYTEPMA0GA1UECgwGQ0VTTkVUMRYwFAYDVQQDDA10 c2EuY2VzbmV0LmN6MYIC2TCCAtUCAQEwbDBgMRIwEAYKCZImiZPyLGQBGRYCY3ox GTAXBgoJkiaJk/IsZAEZFgljZXNuZXQtY2ExEjAQBgNVBAoMCUNFU05FVCBDQTEb MBkGA1UEAwwSUGVyc29uYWwgU2lnbmluZyAyAghq94ZoOsDXcDANBglghkgBZQME AgEFAKCCAT4wGgYJKoZIhvcNAQkDMQ0GCyqGSIb3DQEJEAEEMBwGCSqGSIb3DQEJ BTEPFw0yNTAxMjQxMDI3MzNaMC0GCSqGSIb3DQEJNDEgMB4wDQYJYIZIAWUDBAIB BQChDQYJKoZIhvcNAQELBQAwLwYJKoZIhvcNAQkEMSIEIODM6KO3/ht6dWauUKQT N3BJKLMYAmo+GyAN5hfHC80lMIGhBgsqhkiG9w0BCRACDDGBkTCBjjCBizCBiAQU UCTsC5lLIjDwCg+Qpg0dKB0bP74wcDBkpGIwYDESMBAGCgmSJomT8ixkARkWAmN6 MRkwFwYKCZImiZPyLGQBGRYJY2VzbmV0LWNhMRIwEAYDVQQKDAlDRVNORVQgQ0Ex GzAZBgNVBAMMElBlcnNvbmFsIFNpZ25pbmcgMgIIaveGaDrA13AwDQYJKoZIhvcN AQELBQAEggEAW8YhIhKvAEroACSgC1XB/fGemF9KUAYz9RAVMzCzNqvCJlut56Wc ynCl7NG7b+cR8OEtecp9VvzqHoVH1B0YpOWglkIYYRWEy3sWuYjQLiTBwTxvmTUC NQXn4khbngiZboXHnF8c/y2qxBwENra4TPt4JT5HdfNdkOhf7UhGH3FrgpHDpgPN Qsh3oXZz9140D9oT5DB/uXDRGkhCJ/9aWrP3VgIraFZ/LBJMYA1KAdc+wLsMMMUx nQzto8K2t4OMKVW731Z+43lY/GQECDWgvi5KXnT7r5wYGh5QaAziOf/XnalvtohN /Y2Cda6fjivYNFbyjkvsJJzOTFf6W+XE+g== -----END RFC3161 TOKEN-----	2025-01-24 16:12:33 +05:45
Artur Neumann	e1d1c5e26e	automatically validate all timestamps any time a change is proposed or incrporated int the archive (main branch) this check runs and 1. checks if all certificates of the Time-stamping authorities are as expected 2. all new and historic time-stamps are valid	2025-01-24 16:12:22 +05:45