List out all valid TSAs + option for users to allow self signed if they want

src/auto_archiver/modules/timestamping_enricher/__manifest__.py

@@ -18,18 +18,17 @@
                 # See https://github.com/trailofbits/rfc3161-client/issues/46 for a list of valid TSAs
                 # Full list of TSAs: https://gist.github.com/Manouchehri/fd754e402d98430243455713efada710
                     "http://timestamp.identrust.com",
-                    "http://timestamp.ssl.trustwave.com", #timeouts
+                    "http://timestamp.ssl.trustwave.com",
                     "http://zeitstempel.dfn.de",
                     "http://ts.ssl.com",
-                    "http://tsa.izenpe.com",
+                    # "http://tsa.izenpe.com", # self-signed
                     "http://tsa.lex-persona.com/tsa",
-                    "http://ca.signfiles.com/TSAServer.aspx",
-                    "http://aloahacoin.chain-provider.com/tsa.aspx",
-                    "http://tsa.sinpe.fi.cr/tsaHttp/",
-                    "http://tsa.cra.ge/signserver/tsa?workerName=qtsa",
+                    # "http://ca.signfiles.com/TSAServer.aspx", # self-signed
+                    # "http://tsa.sinpe.fi.cr/tsaHttp/", # self-signed
+                    # "http://tsa.cra.ge/signserver/tsa?workerName=qtsa", # self-signed
                     "http://tss.cnbs.gob.hn/TSS/HttpTspServer",
                     "http://dss.nowina.lu/pki-factory/tsa/good-tsa",
-                    "https://freetsa.org/tsr",
+                    # "https://freetsa.org/tsr", # self-signed
                 ],
             "help": "List of RFC3161 Time Stamp Authorities to use, separate with commas if passed via the command line.",
         },
@@ -37,6 +36,12 @@
             "default": None,
             "help": "Path to a file containing trusted Certificate Authorities (CAs) in PEM format. If empty, the default system authorities are used.",
             "type": "str",
+        },
+        "allow_selfsigned": {
+            "default": False,
+            "help": "Whether or not to allow and save self-signed Timestamping certificates. This allows for a greater range of timestamping servers to be used, \
+but they are not trusted authorities",
+            "type": "bool"
         }
     },
     "description": """

src/auto_archiver/modules/timestamping_enricher/timestamping_enricher.py

@@ -82,7 +82,10 @@ class TimestampingEnricher(Enricher):
                 # fail if there's any issue with the certificates, uses certifi list of trusted CAs or the user-defined `cert_authorities`
                 root_cert = self.verify_signed(signed, message)
                 if not root_cert:
-                    raise ValueError(f"No valid root certificate found for {tsa_url=}. Are you sure it's a trusted TSA? Or define an alternative trusted root with `cert_authorities`. (tried: {self.cert_authorities or certifi.where()})")
+                    if self.allow_selfsigned:
+                        logger.warning(f"Allowing self-signed certificat from TSA {tsa_url=}")
+                    else:
+                        raise ValueError(f"No valid root certificate found for {tsa_url=}. Are you sure it's a trusted TSA? Or define an alternative trusted root with `cert_authorities`. (tried: {self.cert_authorities or certifi.where()})")
 
                 # save the timestamping certificate
                 cert_chain = self.save_certificate(signed, root_cert)