Closed woodruffw closed 11 months ago
Just to copy the rationale here: my understanding of the bundle specification is that (1) inclusion proofs are only required starting with 0.2, and (2) that inclusion proofs in 0.1 bundles aren't required to have checkpoints. Consequently, clients vary in their handling of invalid inclusion proofs in 0.1 bundles: sigstore-python, for example, will perform an online lookup if the checkpoint is missing (as it is here).
See https://github.com/sigstore/sigstore-python/pull/790.