From 3b39d52982ca8c6b14516b4866e6313a3af08d74 Mon Sep 17 00:00:00 2001
From: William Woodruff <william@trailofbits.com>
Date: Fri, 9 Aug 2024 13:41:49 -0400
Subject: [PATCH 1/3] sigstore_rekor: clarify inclusion_promise requirement

Signed-off-by: William Woodruff <william@trailofbits.com>
---
 protos/sigstore_rekor.proto | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/protos/sigstore_rekor.proto b/protos/sigstore_rekor.proto
index 424ff40c..09863ded 100644
--- a/protos/sigstore_rekor.proto
+++ b/protos/sigstore_rekor.proto
@@ -104,8 +104,10 @@ message TransparencyLogEntry {
         int64 integrated_time = 4 [(google.api.field_behavior) = REQUIRED];
         // The inclusion promise/signed entry timestamp from the log.
         // Required for v0.1 bundles, and MUST be verified.
-        // Optional for >= v0.2 bundles, and SHOULD be verified when present.
-        // Also may be used as a signed timestamp.
+        // Optional for >= v0.2 bundles if another source of signed time
+        // is present.
+        // MUST be verified if no other source of signed time is present,
+        // and SHOULD be verified otherwise.
         InclusionPromise inclusion_promise = 5;
         // The inclusion proof can be used for offline or online verification
         // that the entry was appended to the log, and that the log has not been

From 24414655aaa9760538e5fdea18486f4cdade4529 Mon Sep 17 00:00:00 2001
From: William Woodruff <william@trailofbits.com>
Date: Fri, 9 Aug 2024 13:47:29 -0400
Subject: [PATCH 2/3] gen: `make all`

Signed-off-by: William Woodruff <william@trailofbits.com>
---
 gen/jsonschema/schemas/Bundle.schema.json     |   2 +-
 gen/jsonschema/schemas/Input.schema.json      |   2 +-
 .../schemas/TransparencyLogEntry.schema.json  |   2 +-
 .../schemas/VerificationMaterial.schema.json  |   2 +-
 gen/pb-go/rekor/v1/sigstore_rekor.pb.go       |   6 ++++--
 .../dev/sigstore/rekor/v1/__init__.py         |   5 +++--
 .../src/generated/dev.sigstore.rekor.v1.rs    |   6 ++++--
 .../src/generated/file_descriptor_set.bin     | Bin 118386 -> 118452 bytes
 .../src/__generated__/sigstore_rekor.ts       |   6 ++++--
 9 files changed, 19 insertions(+), 12 deletions(-)

diff --git a/gen/jsonschema/schemas/Bundle.schema.json b/gen/jsonschema/schemas/Bundle.schema.json
index 5d2c83a1..7aefbd2e 100644
--- a/gen/jsonschema/schemas/Bundle.schema.json
+++ b/gen/jsonschema/schemas/Bundle.schema.json
@@ -319,7 +319,7 @@
                 "inclusionPromise": {
                     "$ref": "#/definitions/dev.sigstore.rekor.v1.InclusionPromise",
                     "additionalProperties": false,
-                    "description": "The inclusion promise/signed entry timestamp from the log. Required for v0.1 bundles, and MUST be verified. Optional for \u003e= v0.2 bundles, and SHOULD be verified when present. Also may be used as a signed timestamp."
+                    "description": "The inclusion promise/signed entry timestamp from the log. Required for v0.1 bundles, and MUST be verified. Optional for \u003e= v0.2 bundles if another source of signed time is present. MUST be verified if no other source of signed time is present, and SHOULD be verified otherwise."
                 },
                 "inclusionProof": {
                     "$ref": "#/definitions/dev.sigstore.rekor.v1.InclusionProof",
diff --git a/gen/jsonschema/schemas/Input.schema.json b/gen/jsonschema/schemas/Input.schema.json
index 3e65bf5d..ef942222 100644
--- a/gen/jsonschema/schemas/Input.schema.json
+++ b/gen/jsonschema/schemas/Input.schema.json
@@ -512,7 +512,7 @@
                 "inclusionPromise": {
                     "$ref": "#/definitions/dev.sigstore.rekor.v1.InclusionPromise",
                     "additionalProperties": false,
-                    "description": "The inclusion promise/signed entry timestamp from the log. Required for v0.1 bundles, and MUST be verified. Optional for \u003e= v0.2 bundles, and SHOULD be verified when present. Also may be used as a signed timestamp."
+                    "description": "The inclusion promise/signed entry timestamp from the log. Required for v0.1 bundles, and MUST be verified. Optional for \u003e= v0.2 bundles if another source of signed time is present. MUST be verified if no other source of signed time is present, and SHOULD be verified otherwise."
                 },
                 "inclusionProof": {
                     "$ref": "#/definitions/dev.sigstore.rekor.v1.InclusionProof",
diff --git a/gen/jsonschema/schemas/TransparencyLogEntry.schema.json b/gen/jsonschema/schemas/TransparencyLogEntry.schema.json
index cc3d6a2e..6666300a 100644
--- a/gen/jsonschema/schemas/TransparencyLogEntry.schema.json
+++ b/gen/jsonschema/schemas/TransparencyLogEntry.schema.json
@@ -25,7 +25,7 @@
                 "inclusionPromise": {
                     "$ref": "#/definitions/dev.sigstore.rekor.v1.InclusionPromise",
                     "additionalProperties": false,
-                    "description": "The inclusion promise/signed entry timestamp from the log. Required for v0.1 bundles, and MUST be verified. Optional for \u003e= v0.2 bundles, and SHOULD be verified when present. Also may be used as a signed timestamp."
+                    "description": "The inclusion promise/signed entry timestamp from the log. Required for v0.1 bundles, and MUST be verified. Optional for \u003e= v0.2 bundles if another source of signed time is present. MUST be verified if no other source of signed time is present, and SHOULD be verified otherwise."
                 },
                 "inclusionProof": {
                     "$ref": "#/definitions/dev.sigstore.rekor.v1.InclusionProof",
diff --git a/gen/jsonschema/schemas/VerificationMaterial.schema.json b/gen/jsonschema/schemas/VerificationMaterial.schema.json
index 5bb1ac50..91683b51 100644
--- a/gen/jsonschema/schemas/VerificationMaterial.schema.json
+++ b/gen/jsonschema/schemas/VerificationMaterial.schema.json
@@ -236,7 +236,7 @@
                 "inclusionPromise": {
                     "$ref": "#/definitions/dev.sigstore.rekor.v1.InclusionPromise",
                     "additionalProperties": false,
-                    "description": "The inclusion promise/signed entry timestamp from the log. Required for v0.1 bundles, and MUST be verified. Optional for \u003e= v0.2 bundles, and SHOULD be verified when present. Also may be used as a signed timestamp."
+                    "description": "The inclusion promise/signed entry timestamp from the log. Required for v0.1 bundles, and MUST be verified. Optional for \u003e= v0.2 bundles if another source of signed time is present. MUST be verified if no other source of signed time is present, and SHOULD be verified otherwise."
                 },
                 "inclusionProof": {
                     "$ref": "#/definitions/dev.sigstore.rekor.v1.InclusionProof",
diff --git a/gen/pb-go/rekor/v1/sigstore_rekor.pb.go b/gen/pb-go/rekor/v1/sigstore_rekor.pb.go
index 0ab50bf7..21be13ec 100644
--- a/gen/pb-go/rekor/v1/sigstore_rekor.pb.go
+++ b/gen/pb-go/rekor/v1/sigstore_rekor.pb.go
@@ -326,8 +326,10 @@ type TransparencyLogEntry struct {
 	IntegratedTime int64 `protobuf:"varint,4,opt,name=integrated_time,json=integratedTime,proto3" json:"integrated_time,omitempty"`
 	// The inclusion promise/signed entry timestamp from the log.
 	// Required for v0.1 bundles, and MUST be verified.
-	// Optional for >= v0.2 bundles, and SHOULD be verified when present.
-	// Also may be used as a signed timestamp.
+	// Optional for >= v0.2 bundles if another source of signed time
+	// is present.
+	// MUST be verified if no other source of signed time is present,
+	// and SHOULD be verified otherwise.
 	InclusionPromise *InclusionPromise `protobuf:"bytes,5,opt,name=inclusion_promise,json=inclusionPromise,proto3" json:"inclusion_promise,omitempty"`
 	// The inclusion proof can be used for offline or online verification
 	// that the entry was appended to the log, and that the log has not been
diff --git a/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/rekor/v1/__init__.py b/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/rekor/v1/__init__.py
index d45068f6..9ca42f98 100644
--- a/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/rekor/v1/__init__.py
+++ b/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/rekor/v1/__init__.py
@@ -127,8 +127,9 @@ class TransparencyLogEntry(betterproto.Message):
     inclusion_promise: "InclusionPromise" = betterproto.message_field(5)
     """
     The inclusion promise/signed entry timestamp from the log. Required for
-    v0.1 bundles, and MUST be verified. Optional for >= v0.2 bundles, and
-    SHOULD be verified when present. Also may be used as a signed timestamp.
+    v0.1 bundles, and MUST be verified. Optional for >= v0.2 bundles if another
+    source of signed time is present. MUST be verified if no other source of
+    signed time is present, and SHOULD be verified otherwise.
     """
 
     inclusion_proof: "InclusionProof" = betterproto.message_field(6)
diff --git a/gen/pb-rust/sigstore-protobuf-specs/src/generated/dev.sigstore.rekor.v1.rs b/gen/pb-rust/sigstore-protobuf-specs/src/generated/dev.sigstore.rekor.v1.rs
index 9fed5246..a1403dcd 100644
--- a/gen/pb-rust/sigstore-protobuf-specs/src/generated/dev.sigstore.rekor.v1.rs
+++ b/gen/pb-rust/sigstore-protobuf-specs/src/generated/dev.sigstore.rekor.v1.rs
@@ -131,8 +131,10 @@ pub struct TransparencyLogEntry {
     pub integrated_time: i64,
     /// The inclusion promise/signed entry timestamp from the log.
     /// Required for v0.1 bundles, and MUST be verified.
-    /// Optional for >= v0.2 bundles, and SHOULD be verified when present.
-    /// Also may be used as a signed timestamp.
+    /// Optional for >= v0.2 bundles if another source of signed time
+    /// is present.
+    /// MUST be verified if no other source of signed time is present,
+    /// and SHOULD be verified otherwise.
     #[prost(message, optional, tag = "5")]
     pub inclusion_promise: ::core::option::Option<InclusionPromise>,
     /// The inclusion proof can be used for offline or online verification
diff --git a/gen/pb-rust/sigstore-protobuf-specs/src/generated/file_descriptor_set.bin b/gen/pb-rust/sigstore-protobuf-specs/src/generated/file_descriptor_set.bin
index 71a7c58b33af146dd4824fc3346ec27214dc9215..ee8efc6d92c60c2d67761e7eb6952d90f54dfc99 100644
GIT binary patch
delta 403
zcmew~hkeUj_J%Et0xnGJ?6wQJF#57^UN_}p7h>gOXxm<>z!=K3eXkc|054<PcD@M4
zH!K3HnYdV3SeRIZnDaRFrRFkC{~y9AHeDf>v9w+xGfg2eFTW%swMd~jzqBYhRUto3
zp*S-=FEvG>Br`XaOChsZp`a+WI5n?Ck4wQfG&n>dDOI5?wJ0+!6Q~BLKQCVaj{!*f
zb+~|br6>e@_=ozqfKBm)83Q(;JhM1ekBf_kixuQrHjr~AU_3@3Pf`oUV+Qhc^|%%@
zf<4A6#9TC8I*xIvR}qI8R0%6kLy@=|j0e<EqzTi`$^qnQ2XparaR4o1<(R|402I&(
u;yS?&Hjhn+rFA=3JmV>5`Bp{_UM^m+gV-2>!i;<hFfKDl)#oI}`fLERgIy8;

delta 336
zcmdlom;KWm_J%Et0xnE%Y_|)!F#57^PBrCX7h>gOXxUz<z!=K3eXkc|054<9cD@M4
zH!S=w8M#<kSeRIZm~%MvrEX78jAIm@E)&aGS+Apzn3tju?BO5k<D!t1s!*0%l$n;9
znxasik(#GaP?TDnnpdL7rQn!ToUf3ZSP4>7S`3s=ELKQVD9%jJ1F}mpb5n~;5_1dm
zxVU(@SV1<ifvl2%@fd+TNi7(U8OYPs<5~=K6gyBYs}OU+^w>DYrCtRbVo)`#Kph3*
zYA_y9M}a0xKPv~2ryb12&&2`K%`u0A0Vtpo#C3ul>`OKwmgem~@r<XK<(nBfc)57N
WE@EQ@3N!L4z_`pHRi?>|_1ORyNJPZ|

diff --git a/gen/pb-typescript/src/__generated__/sigstore_rekor.ts b/gen/pb-typescript/src/__generated__/sigstore_rekor.ts
index d33b5933..37c2b91d 100644
--- a/gen/pb-typescript/src/__generated__/sigstore_rekor.ts
+++ b/gen/pb-typescript/src/__generated__/sigstore_rekor.ts
@@ -103,8 +103,10 @@ export interface TransparencyLogEntry {
   /**
    * The inclusion promise/signed entry timestamp from the log.
    * Required for v0.1 bundles, and MUST be verified.
-   * Optional for >= v0.2 bundles, and SHOULD be verified when present.
-   * Also may be used as a signed timestamp.
+   * Optional for >= v0.2 bundles if another source of signed time
+   * is present.
+   * MUST be verified if no other source of signed time is present,
+   * and SHOULD be verified otherwise.
    */
   inclusionPromise:
     | InclusionPromise

From d9edb63b1146eb1ef96dcebb3fd38ee1cef585aa Mon Sep 17 00:00:00 2001
From: William Woodruff <william@trailofbits.com>
Date: Fri, 9 Aug 2024 14:03:54 -0400
Subject: [PATCH 3/3] rekor: clarify suitable sources of time

Signed-off-by: William Woodruff <william@trailofbits.com>
---
 gen/jsonschema/schemas/Bundle.schema.json     |   2 +-
 gen/jsonschema/schemas/Input.schema.json      |   2 +-
 .../schemas/TransparencyLogEntry.schema.json  |   2 +-
 .../schemas/VerificationMaterial.schema.json  |   2 +-
 gen/pb-go/rekor/v1/sigstore_rekor.pb.go       |   7 ++++---
 .../dev/sigstore/rekor/v1/__init__.py         |   6 ++++--
 .../src/generated/dev.sigstore.rekor.v1.rs    |   7 ++++---
 .../src/generated/file_descriptor_set.bin     | Bin 118452 -> 118553 bytes
 .../src/__generated__/sigstore_rekor.ts       |   7 ++++---
 protos/sigstore_rekor.proto                   |   7 ++++---
 10 files changed, 24 insertions(+), 18 deletions(-)

diff --git a/gen/jsonschema/schemas/Bundle.schema.json b/gen/jsonschema/schemas/Bundle.schema.json
index 7aefbd2e..768f9dba 100644
--- a/gen/jsonschema/schemas/Bundle.schema.json
+++ b/gen/jsonschema/schemas/Bundle.schema.json
@@ -319,7 +319,7 @@
                 "inclusionPromise": {
                     "$ref": "#/definitions/dev.sigstore.rekor.v1.InclusionPromise",
                     "additionalProperties": false,
-                    "description": "The inclusion promise/signed entry timestamp from the log. Required for v0.1 bundles, and MUST be verified. Optional for \u003e= v0.2 bundles if another source of signed time is present. MUST be verified if no other source of signed time is present, and SHOULD be verified otherwise."
+                    "description": "The inclusion promise/signed entry timestamp from the log. Required for v0.1 bundles, and MUST be verified. Optional for \u003e= v0.2 bundles if another suitable source of time is present (such as another source of signed time, or the current system time for long-lived certificates). MUST be verified if no other suitable source of time is present, and SHOULD be verified otherwise."
                 },
                 "inclusionProof": {
                     "$ref": "#/definitions/dev.sigstore.rekor.v1.InclusionProof",
diff --git a/gen/jsonschema/schemas/Input.schema.json b/gen/jsonschema/schemas/Input.schema.json
index ef942222..1e9e8421 100644
--- a/gen/jsonschema/schemas/Input.schema.json
+++ b/gen/jsonschema/schemas/Input.schema.json
@@ -512,7 +512,7 @@
                 "inclusionPromise": {
                     "$ref": "#/definitions/dev.sigstore.rekor.v1.InclusionPromise",
                     "additionalProperties": false,
-                    "description": "The inclusion promise/signed entry timestamp from the log. Required for v0.1 bundles, and MUST be verified. Optional for \u003e= v0.2 bundles if another source of signed time is present. MUST be verified if no other source of signed time is present, and SHOULD be verified otherwise."
+                    "description": "The inclusion promise/signed entry timestamp from the log. Required for v0.1 bundles, and MUST be verified. Optional for \u003e= v0.2 bundles if another suitable source of time is present (such as another source of signed time, or the current system time for long-lived certificates). MUST be verified if no other suitable source of time is present, and SHOULD be verified otherwise."
                 },
                 "inclusionProof": {
                     "$ref": "#/definitions/dev.sigstore.rekor.v1.InclusionProof",
diff --git a/gen/jsonschema/schemas/TransparencyLogEntry.schema.json b/gen/jsonschema/schemas/TransparencyLogEntry.schema.json
index 6666300a..c548f868 100644
--- a/gen/jsonschema/schemas/TransparencyLogEntry.schema.json
+++ b/gen/jsonschema/schemas/TransparencyLogEntry.schema.json
@@ -25,7 +25,7 @@
                 "inclusionPromise": {
                     "$ref": "#/definitions/dev.sigstore.rekor.v1.InclusionPromise",
                     "additionalProperties": false,
-                    "description": "The inclusion promise/signed entry timestamp from the log. Required for v0.1 bundles, and MUST be verified. Optional for \u003e= v0.2 bundles if another source of signed time is present. MUST be verified if no other source of signed time is present, and SHOULD be verified otherwise."
+                    "description": "The inclusion promise/signed entry timestamp from the log. Required for v0.1 bundles, and MUST be verified. Optional for \u003e= v0.2 bundles if another suitable source of time is present (such as another source of signed time, or the current system time for long-lived certificates). MUST be verified if no other suitable source of time is present, and SHOULD be verified otherwise."
                 },
                 "inclusionProof": {
                     "$ref": "#/definitions/dev.sigstore.rekor.v1.InclusionProof",
diff --git a/gen/jsonschema/schemas/VerificationMaterial.schema.json b/gen/jsonschema/schemas/VerificationMaterial.schema.json
index 91683b51..14faa461 100644
--- a/gen/jsonschema/schemas/VerificationMaterial.schema.json
+++ b/gen/jsonschema/schemas/VerificationMaterial.schema.json
@@ -236,7 +236,7 @@
                 "inclusionPromise": {
                     "$ref": "#/definitions/dev.sigstore.rekor.v1.InclusionPromise",
                     "additionalProperties": false,
-                    "description": "The inclusion promise/signed entry timestamp from the log. Required for v0.1 bundles, and MUST be verified. Optional for \u003e= v0.2 bundles if another source of signed time is present. MUST be verified if no other source of signed time is present, and SHOULD be verified otherwise."
+                    "description": "The inclusion promise/signed entry timestamp from the log. Required for v0.1 bundles, and MUST be verified. Optional for \u003e= v0.2 bundles if another suitable source of time is present (such as another source of signed time, or the current system time for long-lived certificates). MUST be verified if no other suitable source of time is present, and SHOULD be verified otherwise."
                 },
                 "inclusionProof": {
                     "$ref": "#/definitions/dev.sigstore.rekor.v1.InclusionProof",
diff --git a/gen/pb-go/rekor/v1/sigstore_rekor.pb.go b/gen/pb-go/rekor/v1/sigstore_rekor.pb.go
index 21be13ec..ef5efe48 100644
--- a/gen/pb-go/rekor/v1/sigstore_rekor.pb.go
+++ b/gen/pb-go/rekor/v1/sigstore_rekor.pb.go
@@ -326,9 +326,10 @@ type TransparencyLogEntry struct {
 	IntegratedTime int64 `protobuf:"varint,4,opt,name=integrated_time,json=integratedTime,proto3" json:"integrated_time,omitempty"`
 	// The inclusion promise/signed entry timestamp from the log.
 	// Required for v0.1 bundles, and MUST be verified.
-	// Optional for >= v0.2 bundles if another source of signed time
-	// is present.
-	// MUST be verified if no other source of signed time is present,
+	// Optional for >= v0.2 bundles if another suitable source of
+	// time is present (such as another source of signed time,
+	// or the current system time for long-lived certificates).
+	// MUST be verified if no other suitable source of time is present,
 	// and SHOULD be verified otherwise.
 	InclusionPromise *InclusionPromise `protobuf:"bytes,5,opt,name=inclusion_promise,json=inclusionPromise,proto3" json:"inclusion_promise,omitempty"`
 	// The inclusion proof can be used for offline or online verification
diff --git a/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/rekor/v1/__init__.py b/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/rekor/v1/__init__.py
index 9ca42f98..927ed6f2 100644
--- a/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/rekor/v1/__init__.py
+++ b/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/rekor/v1/__init__.py
@@ -128,8 +128,10 @@ class TransparencyLogEntry(betterproto.Message):
     """
     The inclusion promise/signed entry timestamp from the log. Required for
     v0.1 bundles, and MUST be verified. Optional for >= v0.2 bundles if another
-    source of signed time is present. MUST be verified if no other source of
-    signed time is present, and SHOULD be verified otherwise.
+    suitable source of time is present (such as another source of signed time,
+    or the current system time for long-lived certificates). MUST be verified
+    if no other suitable source of time is present, and SHOULD be verified
+    otherwise.
     """
 
     inclusion_proof: "InclusionProof" = betterproto.message_field(6)
diff --git a/gen/pb-rust/sigstore-protobuf-specs/src/generated/dev.sigstore.rekor.v1.rs b/gen/pb-rust/sigstore-protobuf-specs/src/generated/dev.sigstore.rekor.v1.rs
index a1403dcd..80556e38 100644
--- a/gen/pb-rust/sigstore-protobuf-specs/src/generated/dev.sigstore.rekor.v1.rs
+++ b/gen/pb-rust/sigstore-protobuf-specs/src/generated/dev.sigstore.rekor.v1.rs
@@ -131,9 +131,10 @@ pub struct TransparencyLogEntry {
     pub integrated_time: i64,
     /// The inclusion promise/signed entry timestamp from the log.
     /// Required for v0.1 bundles, and MUST be verified.
-    /// Optional for >= v0.2 bundles if another source of signed time
-    /// is present.
-    /// MUST be verified if no other source of signed time is present,
+    /// Optional for >= v0.2 bundles if another suitable source of
+    /// time is present (such as another source of signed time,
+    /// or the current system time for long-lived certificates).
+    /// MUST be verified if no other suitable source of time is present,
     /// and SHOULD be verified otherwise.
     #[prost(message, optional, tag = "5")]
     pub inclusion_promise: ::core::option::Option<InclusionPromise>,
diff --git a/gen/pb-rust/sigstore-protobuf-specs/src/generated/file_descriptor_set.bin b/gen/pb-rust/sigstore-protobuf-specs/src/generated/file_descriptor_set.bin
index ee8efc6d92c60c2d67761e7eb6952d90f54dfc99..66e9233bca24e1218e9c397aeef337c2fc860372 100644
GIT binary patch
delta 430
zcmZWky-vbV80Diaz1|3t4){0tO-AI$NmmypB8d@5T)>oiD~-^ry)B6oh5=R+hsH!*
zjBh~FMR(&f_z1p(UeGQ&p7Wh^zH_Dz`rV^`J%wx~dAlDO6{x8TFMCusv`k_WT_QA-
z(Q6eB(=drL$MC6UZxpJkYEm^6PIlHtO8C`)T!<|gl>^5&J3WSi2cE@{+Z27L&(INg
z;W5EnAGbtcb<q@Py5UC))`vxk+(W<1&<Z?nCJ|S{XZ;_iEpI*Uo|SsefSsbnJm0Y$
z%k-JZmnqho^#*nr4wxrtDR69bIdU22q4-zlZyWhL)Y?!gaI!)dsWzJha@Xp1j1-AV
zW%>m3&6=Tzu+@g=svx;vi6#wVc{4`RAo8(YBN7$rbcqrft&w|@kVNr_zUlM4l%bBJ
dgA;gHHpW2GG(E470!c##W2nqjyA}-3zX4~qX>$Mo

delta 284
zcmbO^kA2Hr_J%Et0xrz!?6{^Yq%ewZ*KlDpXW_hV%Ed0k%E!>Qy-<NMlxh23FU9~~
z#<uNz5sYtG1XeR~v9Pc(u?R8eap+6UWt#p!gi&m|LM&s`^y{&VB0O9QnZ*hPMXAN9
zc_q_T;}{je!qa2o7_GJQI3&1uxL85j8G-sGwO~AEAWv71YcV6(Y*r!WqUnd?7?*k#
zafm^cumUv{iL1eQKn+EjFzu`yK%RCm7e5yV&}deUIUEc?0i7VO6YOB~*o0VGw{MJR
hJjE>E%E-aX#S3-<8zWGdkxv1}Wd^C5mCRV54FCrSHbwvd

diff --git a/gen/pb-typescript/src/__generated__/sigstore_rekor.ts b/gen/pb-typescript/src/__generated__/sigstore_rekor.ts
index 37c2b91d..1e9ab6fa 100644
--- a/gen/pb-typescript/src/__generated__/sigstore_rekor.ts
+++ b/gen/pb-typescript/src/__generated__/sigstore_rekor.ts
@@ -103,9 +103,10 @@ export interface TransparencyLogEntry {
   /**
    * The inclusion promise/signed entry timestamp from the log.
    * Required for v0.1 bundles, and MUST be verified.
-   * Optional for >= v0.2 bundles if another source of signed time
-   * is present.
-   * MUST be verified if no other source of signed time is present,
+   * Optional for >= v0.2 bundles if another suitable source of
+   * time is present (such as another source of signed time,
+   * or the current system time for long-lived certificates).
+   * MUST be verified if no other suitable source of time is present,
    * and SHOULD be verified otherwise.
    */
   inclusionPromise:
diff --git a/protos/sigstore_rekor.proto b/protos/sigstore_rekor.proto
index 09863ded..89159601 100644
--- a/protos/sigstore_rekor.proto
+++ b/protos/sigstore_rekor.proto
@@ -104,9 +104,10 @@ message TransparencyLogEntry {
         int64 integrated_time = 4 [(google.api.field_behavior) = REQUIRED];
         // The inclusion promise/signed entry timestamp from the log.
         // Required for v0.1 bundles, and MUST be verified.
-        // Optional for >= v0.2 bundles if another source of signed time
-        // is present.
-        // MUST be verified if no other source of signed time is present,
+        // Optional for >= v0.2 bundles if another suitable source of
+        // time is present (such as another source of signed time,
+        // or the current system time for long-lived certificates).
+        // MUST be verified if no other suitable source of time is present,
         // and SHOULD be verified otherwise.
         InclusionPromise inclusion_promise = 5;
         // The inclusion proof can be used for offline or online verification