`gosop` timestamps need to be emitted in UTC with a trailing `Z` suffix

[dkg]

The sop spec is a bit unclear on what the timestamp of the VERIFICATIONS output is supposed to be. It says:

ISO-8601 UTC datestamp, to one second precision, using the Z suffix

That was intended to be the datestamp of the signature not the datestamp of the verification. I'll update the spec to be clearer on that in the future, but gosop appears to currently emit "now" rather than the datestamp of the signature itself.

sop.md also says:

Note that whenever sop emits a timestamp (e.g. in {{verifications}}) it MUST produce only a UTC-based ISO-8601 compliant representation with a resolution of one second, using the literal Z suffix to indicate timezone.

See https://gitlab.com/dkg/openpgp-stateless-cli/-/issues/37 for more clarification.

gosop currently emits the datestamp in the local TZ, with a numeric TZ offset suffix. Please make it UTC with a trailing Z.

[twiss]

Thanks for the report!

That was intended to be the datestamp of the signature not the datestamp of the verification. I'll update the spec to be clearer on that in the future, but gosop appears to currently emit "now" rather than the datestamp of the signature itself.

Tbh, this is not the fault of the spec, we were aware of the intention but didn't have an easy way of accessing the signature timestamp in this context, so the original implementer used the current time instead; see this maximally helpful comment: https://github.com/ProtonMail/gosop/blob/7947241ed22d2967dc0747f539dfad7fdb5bfd1c/cmd/verify.go#L60

Anyway, I think we do have a function for that in gopenpgp now, so I'll fix that.

[twiss]

Fixed in 31c8bc864163fb7b00090ec5d5b3537b0ceb13cd and 833f7eccd4606c60dc1544aff89455d4a46693af :)