You’ll be amused to find out that the code that generated the Rekor TS cert has been changed to use digitalSignature as its KU. https://github.com/sigstore/rekor/pull/504/files
I think the change you made is correct, but you probably won’t see a nonRepudiation bit for a while again. Mike Sent from my iPad > On Nov 17, 2021, at 15:09, Weijun Wang <wei...@openjdk.java.net> wrote: > > On Tue, 16 Nov 2021 19:36:11 GMT, Weijun Wang <wei...@openjdk.org> wrote: > >> There is no need to check for the KeyUsage extension when validating a TSA >> certificate. >> >> A test is modified where a TSA cert has a KeyUsage but without the >> DigitalSignature bit. > > This pull request has now been integrated. > > Changeset: 262d0700 > Author: Weijun Wang <wei...@openjdk.org> > URL: > https://git.openjdk.java.net/jdk/commit/262d07001babcbe7f9acd2053aa3b7bac304cf85 > Stats: 6 lines in 2 files changed: 3 ins; 0 del; 3 mod > > 8277246: Check for NonRepudiation as well when validating a TSA certificate > > Reviewed-by: xuelei, mullan > > ------------- > > PR: https://git.openjdk.java.net/jdk/pull/6416
