Get timestamp before submitting to rekor.

[ramonpetgrave64]

Description

Currently, we submit an entry to rekor before requesting a timestamp.

• sigstore-python/sigstore/sign.py

  Lines 181 to 190 in 8cb6fc7

  	# Submit the proposed entry to the transparency log
  	entry = self._signing_ctx._rekor.create_entry(proposed_entry)
  	_logger.debug(f"Transparency log entry created with index: {entry.log_index}")
  	# If the user provided TSA urls, timestamps the response
  	signed_timestamp = []
  	for tsa_client in self._signing_ctx._tsa_clients:
  	try:
  	signed_timestamp.append(tsa_client.request_timestamp(content.signature))

But according to this document's diagram, we should actually be fetching the timestamp before submitting to rekor.

• https://blog.sigstore.dev/trusted-time/

This is critical in error cases, where either fetching the timestamp or submitting to rekor fails:

• With RekorV2, there will no longer be Rekor-provided SignedEntry Timestamp, nor is aqn rfc3161 timestamp accepted by the RekorV2 API. Instead, clients must fetch an rfc3171 timestamp externally to store in their bundles for verification, according to spec.
  • This means that submitting to RekorV2 without also having a timestamp will not be useful for verifying a bundle. We might consider this a pollution of the Log.
  • On the other hand, timestamps can be independently verified without bundles.