GHSA-qqw8-7c2r-jxch

### Summary Regression: Verification of `integratedTime` from Rekor V1 Log Entry against Fuclio Certificate validity was missing

### Details - PR [#1008](https://github.com/sigstore/sigstore-java/pull/1008) erroneously removed verification of the integrated (Rekor entry) time) against the Fulcio certificate. - PR [#1185](https://github.com/sigstore/sigstore-java/pull/1185) re-added this verification with enhancements that adhere to the Sigstore verification spec. - old sigstore-conformance test for this check was built incorrectly

### PoC A new bundle was added to sigstore-conformance to test this: sigstore-java:2.0.0 can be tested against it and shown to be unexpectedly passing Verify this [bundle](https://github.com/aaronlew02/sigstore-conformance/blob/8b45823fd0d82236ff42aea5b06c98d5109a0e6d/test/assets/bundle-verify/integrated-time-in-future_fail/bundle.sigstore.json) against [`a.txt`](https://github.com/aaronlew02/sigstore-conformance/blob/8b45823fd0d82236ff42aea5b06c98d5109a0e6d/test/assets/a.txt)

``` $ git clone git@github.com:sigstore/sigstore-java $ git checkout v2.0.0 $ ./gradlew :sigstore-cli:build $ tar -xf sigstore-cli/build/distributions/sigstore-cli-*-SNAPSHOT.tar --strip-components 1 $ ./bin/sigstore-cli verify --bundle=bundle.sigstore.json a.txt # expect error but none ```

### Impact This vulnerability impacts only users verifying bundles with `dev.sigstore:sigstore-java:2.0.0`. Older versions are not affected, it is fixed in `dev.sigstore:sigstore-java:2.1.0`

A malicious actor may exploit this if they were able to access a users system and exfiltrate the temporary private key used during signing and then reuse an old fulcio certificate later without requiring direct access to the user's credentials.

Users may protect themselves by re-verifying their artifacts using the newest sigstore-java or another current sigstore client. Transparency logs may also be audited for unauthorized signatures for a suspected reused identity.