• sigstore public good instance is deploying a rekor v2 transparency log: https://blog.sigstore.dev/rekor-v2-alpha/
• the current rekor v1 log continues operations but long term it will become read-only at some point
• sigstore-python 4.0 supports rekorv2, however...
• rekorv2 entries do not contain an integrated timestamp: external timestamps are required. (for an example, Sigstore itself handles them by just droppign the RFC3161 timestamps in the signature bundles: https://github.com/sigstore/protobuf-specs/blob/main/protos/sigstore_bundle.proto#L108)
• Currently pypi attestations do not contain timestamps

the pypi attestations should be amended so they can contain timestamps as well