-----TIMESTAMP COMMIT-----

Version: 1

Algorithm: sha1

Preimage: version:1,parent:cb082d29fb182cf908fdc7f89b3336204444c65c,tree:42bfceabd878ae1144c9d7a461e5b91c5bac7d7d

Digest: 1d5032b3c53be0a86fc193a02211fac12febc24f

Timestamp: https://freetsa.org/tsr
 Info: Timestamp generated with GitTrustedTimestamps by Mabulous GmbH

 Version: 1
 Policy OID: tsa_policy1
 Hash Algorithm: sha1
 Message data:
     0000 - 1d 50 32 b3 c5 3b e0 a8-6f c1 93 a0 22 11 fa c1   .P2..;..o..."...
     0010 - 2f eb c2 4f                                       /..O
 Serial number: 0x0527B39A
 Time stamp: Jan 24 10:23:07 2025 GMT
 Accuracy: unspecified
 Ordering: yes
 Nonce: 0xF5E891CBF8D33F94
 TSA: DirName:/O=Free TSA/OU=TSA/description=This certificate digitally signs documents and time stamp requests made using the freetsa.org online services/CN=www.freetsa.org/emailAddress=busilezas@gmail.com/L=Wuerzburg/C=DE/ST=Bayern
 Extensions:

 -----BEGIN RFC3161 TOKEN-----
 MIIFOAYJKoZIhvcNAQcCoIIFKTCCBSUCAQMxDzANBglghkgBZQMEAgMFADCCAX8G
 CyqGSIb3DQEJEAEEoIIBbgSCAWowggFmAgEBBgQqAwQBMCEwCQYFKw4DAhoFAAQU
 HVAys8U74KhvwZOgIhH6wS/rwk8CBAUns5oYDzIwMjUwMTI0MTAyMzA3WgEB/wIJ
 APXokcv40z+UoIIBEaSCAQ0wggEJMREwDwYDVQQKEwhGcmVlIFRTQTEMMAoGA1UE
 CxMDVFNBMXYwdAYDVQQNE21UaGlzIGNlcnRpZmljYXRlIGRpZ2l0YWxseSBzaWdu
 cyBkb2N1bWVudHMgYW5kIHRpbWUgc3RhbXAgcmVxdWVzdHMgbWFkZSB1c2luZyB0
 aGUgZnJlZXRzYS5vcmcgb25saW5lIHNlcnZpY2VzMRgwFgYDVQQDEw93d3cuZnJl
 ZXRzYS5vcmcxIjAgBgkqhkiG9w0BCQEWE2J1c2lsZXphc0BnbWFpbC5jb20xEjAQ
 BgNVBAcTCVd1ZXJ6YnVyZzELMAkGA1UEBhMCREUxDzANBgNVBAgTBkJheWVybjGC
 A4owggOGAgEBMIGjMIGVMREwDwYDVQQKEwhGcmVlIFRTQTEQMA4GA1UECxMHUm9v
 dCBDQTEYMBYGA1UEAxMPd3d3LmZyZWV0c2Eub3JnMSIwIAYJKoZIhvcNAQkBFhNi
 dXNpbGV6YXNAZ21haWwuY29tMRIwEAYDVQQHEwlXdWVyemJ1cmcxDzANBgNVBAgT
 BkJheWVybjELMAkGA1UEBhMCREUCCQDB6YYWDajpgjANBglghkgBZQMEAgMFAKCB
 uDAaBgkqhkiG9w0BCQMxDQYLKoZIhvcNAQkQAQQwHAYJKoZIhvcNAQkFMQ8XDTI1
 MDEyNDEwMjMwN1owKwYLKoZIhvcNAQkQAgwxHDAaMBgwFgQUkW2j2GDsyoLjS8Wd
 F5Pn6WiHXxQwTwYJKoZIhvcNAQkEMUIEQN7EaC85Vyk+0l3HqRxUgpijlmVkgazq
 Dxy0KLnjoATJvB+q/cqWelCj4mqWq8J8getOgSm4RvTwveCtInV5fvowDQYJKoZI
 hvcNAQEBBQAEggIAcx+r+yFu6vR/Wb+tLmx6R/kNSYHQEJN7e9chp8BQieFBrP2w
 Vc+TSWgkWfZEshOWwMitexUVJGNcbsfbpe3xyUQQ9UEpu4R2w8DFkUkR+0GCoFXJ
 2dOWSkN1o7AjziV4BWJp2n7qV5f2llG4aHylLSHGtFc5UtmfmzlfCX13nSyjqBxW
 YzOl8m0o51PrIqnz7pWvUtwlqmvIg1Cr4aVr7APLXF7sDvB4ZspYKmXlyBdAgHU0
 tqJUqj3oBeLUaUQw2z6ThwsTVu0v3BViTz5q5FpoUYQT5lO+of2bK+UgQIpNuRtv
 XoqVnP7YR0CXUl/AW12Tjfb6Ifp9MZu+Pzhh9BJq1Wur/fXrL/CnJC/jhowVa24Z
 e6oq203R61ZUCsBOYzGaDGFwqF+D86+caZePcQfQFIB9voJbhSkoqKQgvWoFIZBD
 ukH16CoMewT2VkmorF7IUhBTkglNJKKKoLgdV3jv+Zyu8nknJcJTcaPfGWB47h3p
 gNc2GceOVBmSh22+GcWEjDitQ5sNnI7lJoyIV/H0yADaWVEYCDIKcmQo/KRvsTq2
 Y1dYkKUtHkVfxOC5BD7rKjcOCm18uTpRdhkZvBteAa4XBGbkiAYWPgqkZtMAlj5J
 2xVX2+Iki4X/B794vpR+5bdXNEbnPrhCuUnvLK1kuiUSYzCO9L5jn2tMhIM=
 -----END RFC3161 TOKEN-----

Timestamp: https://tsa.cesnet.cz:3162/tsa
 Info: Timestamp generated with GitTrustedTimestamps by Mabulous GmbH

 Version: 1
 Policy OID: 1.3.6.1.4.1.22408.1.2.3.45
 Hash Algorithm: sha1
 Message data:
     0000 - 1d 50 32 b3 c5 3b e0 a8-6f c1 93 a0 22 11 fa c1   .P2..;..o..."...
     0010 - 2f eb c2 4f                                       /..O
 Serial number: 0x58137BC933BED608
 Time stamp: Jan 24 10:23:08 2025 GMT
 Accuracy: unspecified
 Ordering: no
 Nonce: 0x3892A48C5B5008BF
 TSA: DirName:/DC=cz/DC=cesnet-ca/O=CESNET/CN=tsa.cesnet.cz
 Extensions:

 -----BEGIN RFC3161 TOKEN-----
 MIID1AYJKoZIhvcNAQcCoIIDxTCCA8ECAQMxDzANBglghkgBZQMEAgEFADCBzQYL
 KoZIhvcNAQkQAQSggb0EgbowgbcCAQEGDCsGAQQBga8IAQIDLTAhMAkGBSsOAwIa
 BQAEFB1QMrPFO+Cob8GToCIR+sEv68JPAghYE3vJM77WCBgPMjAyNTAxMjQxMDIz
 MDhaAgg4kqSMW1AIv6BcpFowWDESMBAGCgmSJomT8ixkARkWAmN6MRkwFwYKCZIm
 iZPyLGQBGRYJY2VzbmV0LWNhMQ8wDQYDVQQKDAZDRVNORVQxFjAUBgNVBAMMDXRz
 YS5jZXNuZXQuY3oxggLZMIIC1QIBATBsMGAxEjAQBgoJkiaJk/IsZAEZFgJjejEZ
 MBcGCgmSJomT8ixkARkWCWNlc25ldC1jYTESMBAGA1UECgwJQ0VTTkVUIENBMRsw
 GQYDVQQDDBJQZXJzb25hbCBTaWduaW5nIDICCGr3hmg6wNdwMA0GCWCGSAFlAwQC
 AQUAoIIBPjAaBgkqhkiG9w0BCQMxDQYLKoZIhvcNAQkQAQQwHAYJKoZIhvcNAQkF
 MQ8XDTI1MDEyNDEwMjMwOFowLQYJKoZIhvcNAQk0MSAwHjANBglghkgBZQMEAgEF
 AKENBgkqhkiG9w0BAQsFADAvBgkqhkiG9w0BCQQxIgQggJxlA/YfI/tcWVRjKA1t
 sIMo0ZiOxUfdYFmPMluSu88wgaEGCyqGSIb3DQEJEAIMMYGRMIGOMIGLMIGIBBRQ
 JOwLmUsiMPAKD5CmDR0oHRs/vjBwMGSkYjBgMRIwEAYKCZImiZPyLGQBGRYCY3ox
 GTAXBgoJkiaJk/IsZAEZFgljZXNuZXQtY2ExEjAQBgNVBAoMCUNFU05FVCBDQTEb
 MBkGA1UEAwwSUGVyc29uYWwgU2lnbmluZyAyAghq94ZoOsDXcDANBgkqhkiG9w0B
 AQsFAASCAQBmZoUcuxNtRLYwz9qsrGzlCHFPA8fRzz19pYqs8SisOG7F8l+dcIaq
 hPZI7voGQjyIiDF8BEVF57oUEqDRVXBBtWgxYevhSldTaEX20cLTLsUnOGDTfy5S
 xtmAKjcMa6NzcvtwHAH8r6t7ivATG+Adhpa6ZLRQXRzRN77RHVNjdUwlz9Wzg9fg
 zVNGJSuOnkHzFja31KzGdWX6KduNPkTyWqNHA28hvOi3K1Eq4PfPqXVnGiftpJkK
 dBFluJSefb4X9JHEtFmOAERvYumO1/foxxPUq1+DPu3oSfBRNEwerUqO440e8dIg
 kE3BrZ4NZZ8/pDdGfpuPWLjxAftzKZ/9
 -----END RFC3161 TOKEN-----

.gitea/workflows/validate.yaml

@@ -1,3 +1,14 @@
+location / {
+    proxy_pass        http://localhost:5232/;
+    proxy_set_header  X-Script-Name /radicale;
+    proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header  X-Forwarded-Host $host;
+    proxy_set_header  X-Forwarded-Port $server_port;
+    proxy_set_header  X-Forwarded-Proto $scheme;
+    proxy_set_header  Host $http_host;
+    proxy_pass_header Authorization;
+}
+
 name: Validate Trusted Timestamps Actions Demo
 run-name: ${{ gitea.actor }} is validating the trusted timestamps of all commits 🚀
 on: [push]

.timestampltv/crls/E1D782A8E191BEEF6BCA1691B5AAB494A6249BF3.crl

@@ -2,17 +2,17 @@
 MIIC5jCCAc4CAQEwDQYJKoZIhvcNAQELBQAwcjELMAkGA1UEBhMCVVMxFTATBgNV
 BAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3LmRpZ2ljZXJ0LmNvbTExMC8G
 A1UEAxMoRGlnaUNlcnQgU0hBMiBBc3N1cmVkIElEIFRpbWVzdGFtcGluZyBDQRcN
-MjUwMjEyMDUyMjQ1WhcNMjUwMjE5MDUyMjQ1WjCB9TAhAhAL2v0LKRQzmpYSZqw1
+MjUwMTI0MDUxNDI4WhcNMjUwMTMxMDUxNDI4WjCB9TAhAhAL2v0LKRQzmpYSZqw1
 OkdEFw0xNjEwMjQxNzQyNDlaMCECEAH40oMtKRkZcbNQw9u8pQAXDTE2MTExMTE1
 MjEzNFowIQIQClKwbEb16yWgi9U/3Ht4hhcNMTgwOTAzMTIxMTQyWjAhAhAFlx7K
 SlmJinvPTLfjd5doFw0xOTA5MzAwODE2MjRaMCECEAxFkEkmQLBOlEh/jEwCeJAX
 DTIxMDIwOTIyMzk0MlowIQIQBMvnUVSd49EL7YN0yV7iRBcNMjEwMjA5MjMyMzM3
 WjAhAhALmUrhw5aLANVesgZ0jpseFw0yMTAyMDkyMzI0MjNaoDAwLjAfBgNVHSME
-GDAWgBT0tuEgHf4prtLkYaWyoiWyyBc1bjALBgNVHRQEBAICDO8wDQYJKoZIhvcN
-AQELBQADggEBALr4VopJYkMfQ97HiyqytcWRY/vgyU/LxOwlH0/1DBSeeObQB0Nj
-uF7vcF2bhbpnxba7gvzOPryudwtbqquf2cl3CJG6MC2D8Nk1XzntDnpxCjVSfsAr
-158zAWPevyiuj3yzFz04mYALt/ZmOJMTF0vyKN8cg5bwfLu3itV6b6vhpuloIhRc
-Hmsbgr3BtCVHkf4vJWq/qKDEMcOhSrJ6wxGCzVyphenewSIbVcogj19cRZDFPWOC
-3sAy/GY3Rz0qK30tDvNbE1uum8gy5ijXFmepJ/lEetRCvrIsxTsXJOj0tqVZfIIQ
-E1YWUZ57TiBBrdS+dTgmRxkN/zaAfYVAIck=
+GDAWgBT0tuEgHf4prtLkYaWyoiWyyBc1bjALBgNVHRQEBAICDNwwDQYJKoZIhvcN
+AQELBQADggEBAGuGW4lrI1pz4IwilL1u3rFRWD43/2Cu0+Pc1+tRx+QqB42aB0Jl
+esdIRc7t7bZ+5wmJyl5DTToQ3Vm7v34dXlblmmlJ2IM+1BKNEO4jMg82i4CFHtaE
+1e2lTfCOKR7YiTmUv/E44jAeQNJbt3k/6gnpDTGafJTIybYNh3uVDtC8Iiun4DKH
+x1qe0qzuixF2TDdTRgPP293nShxNJP5G9G5JaOGSreVOItwEhI+GP6rrPffcanfJ
+v7ghEutuJCE2BGZkqL5iEGgAbMYhFitCu58rfwCHF78uz8T/kxbe5Ax2Zu1IV3is
+kuc5vOHsT/GFYnMC4PZn9J9eYKLE6mzr0SY=
 -----END X509 CRL-----

hooks/timestamping

@@ -553,7 +553,7 @@ download_crls_for_chain() {
       local URL=$(openssl x509 -inform PEM -in $EXTRACTED_CERT -text -noout \
                   | awk '/CRL Distribution Points:/{f=1} f && /URI:/ {print; exit}' \
                   | sed 's/^.*URI://1')
-      if curl -L "$URL" --output "$CRL_TMP" &> "$OUT_STREAM"; then
+      if curl "$URL" --output "$CRL_TMP" &> "$OUT_STREAM"; then
         if openssl crl -in "$CRL_TMP" -inform DER -noout &> "$OUT_STREAM"; then
           openssl crl -in "$CRL_TMP" -inform DER >> "$OUTPUT_FILE"
         elif openssl crl -in "$CRL_TMP" -inform PEM -noout &> "$OUT_STREAM"; then

hooks/validate.sh

@@ -42,8 +42,6 @@ if [[ ! -d "$DIR" ]]; then DIR="$PWD"; fi
 . "$DIR/timestamping"
 
 declare -i MINVERSION=$TIMESTAMPING_VERSION
-declare -i MAX_COMMITS_TO_CHECK=0
-declare -A PROCESSED_COMMIT
 
 while [[ $# -gt 0 ]]; do
   KEY="$1"
@@ -63,16 +61,6 @@ while [[ $# -gt 0 ]]; do
       shift # past argument
       shift # past value
       ;;
-    -max|--maxcommits)
-      INTEGER_REGEX='^[0-9]+$'
-      if ! [[ "$2" =~ $INTEGER_REGEX ]]; then
-        echo_error "$KEY: expected positive integer"
-        exit 1
-      fi
-      MAX_COMMITS_TO_CHECK="$2"
-      shift # past argument
-      shift # past value
-      ;;
     -v|--verbose)
       OUT_STREAM=/dev/stdout
       shift # past argument
@@ -101,10 +89,6 @@ fi
 # tokens, the function will return 0 but echo a warning about the invalid token.
 validate_commit() {
   local COMMIT_HASH="$1"
-  if [[ ${PROCESSED_COMMIT[$COMMIT_HASH]} ]]; then
-    log "validate_commit for $COMMIT_HASH has already been validated"
-    return 0
-  fi
   log "validate_commit for $COMMIT_HASH"
 
   local TIMESTAMP_COMMIT_VERSION
@@ -291,8 +275,6 @@ validate_commit() {
   #assert that all extracted timestamps have been processed
   assert "[ $NUM_PROCESSED -eq $NUM_EXTRACTED ]" "All extracted token must be processed."
 
-  PROCESSED_COMMIT[$COMMIT_HASH]=1
-
   if [ $NUM_VALID -gt 0 ]; then
     if [ $NUM_INVALID -gt 0 ]; then
       echo_warning "Warning: While commit $COMMIT_HASH contains $NUM_VALID valid timestamp tokens and thus is considered proppely timestamped, it also contains $NUM_INVALID invalid timestamp tokens."
@@ -318,19 +300,14 @@ validate_commit_and_parents() {
   if ! validate_commit "$COMMIT_HASH"; then
     ALL_PASSED=false
   fi
-  # If MAX_COMMITS_TO_CHECK is zero (or a negative number) then that is understood as "infinity".
-  # So perform the next commit check if we have not reached the limit, or if the limit is "infinity".
-  NUM_COMMITS_CHECKED=${#PROCESSED_COMMIT[@]}
-  if [[ ${NUM_COMMITS_CHECKED} -lt ${MAX_COMMITS_TO_CHECK} ]] || [[ ${MAX_COMMITS_TO_CHECK} -lt 1 ]]; then
-    local PARENTS=$(git cat-file -p "$COMMIT_HASH" | awk '/^$/{exit} /parent/ {print}' | sed 's/parent //')
-    #iterate over all parents of commit
-    if [ ! -z "$PARENTS" ]; then
-      while read PARENT_HASH; do
-        if ! validate_commit_and_parents "$PARENT_HASH"; then
-          ALL_PASSED=false
-        fi
-      done <<< $(printf "%s" "$PARENTS")
-    fi
+  local PARENTS=$(git cat-file -p "$COMMIT_HASH" | awk '/^$/{exit} /parent/ {print}' | sed 's/parent //')
+  #iterate over all parents of commit
+  if [ ! -z "$PARENTS" ]; then
+    while read PARENT_HASH; do
+      if ! validate_commit_and_parents "$PARENT_HASH"; then
+        ALL_PASSED=false
+      fi
+    done <<< $(printf "%s" "$PARENTS")
   fi
   if [ "$ALL_PASSED" = true ]; then
     return 0