A best practice for artifact signing is to support timestamping. Timestamping: To ensure the signature was produced within the certificate's validity window, a timestamp is added to the signed artifact.

This will allow us to not fail a verification/validation step if the signing material has changed or expired. Without this, we would need to resign the same artifacts.