CVE-2026-24122: Cosign considered signatures valid with expired intermediate certificates when transparency log verification is skipped

When verifying artifact signatures using a certificate, Cosign first verifies the certificate chain using the leaf certificate’s “not before” timestamp and later checks expiry of the leaf certificate using either a signed timestamp provided by the Rekor transparency log or from a timestamp authority, or using the current time. The root and all issuing certificates are assumed to be valid during the leaf certificate’s validity. An issuing certificate with a validity that expires before the leaf certificate will be considered valid during verification even if the provided timestamp would mean the issuing certificate should be considered expired.