Address comments

Signed-off-by: Philip Harrison <[email protected]>

lib/registry.js

@@ -14,10 +14,9 @@ const sigstore = require('sigstore')
 const corgiDoc = 'application/vnd.npm.install-v1+json; q=1.0, application/json; q=0.8, */*'
 const fullDoc = 'application/json'
 
-// Some really old packages have no time field in their packument so we need to
-// fallback to a time that is before we could have a registry rotate keys. This
-// is snapped to just before we shipped `npm audit signatures` in 8.14.0.
-const NO_TIME_CUTOFF_TIME = '2022-07-12T00:00:00.000Z'
+// Some really old packages have no time field in their packument so we need a
+// cutoff date.
+const MISSING_TIME_CUTOFF = '2015-01-01T00:00:00.000Z'
 
 const fetch = require('npm-registry-fetch')
 
@@ -120,6 +119,13 @@ class RegistryFetcher extends Fetcher {
       return this.package
     }
 
+    // When verifying signatures, we need to fetch the full/uncompressed
+    // packument to get publish time as this is not included in the
+    // corgi/compressed packument.
+    if (this.opts.verifySignatures) {
+      this.fullMetadata = true
+    }
+
     const packument = await this.packument()
     let mani = await pickManifest(packument, this.spec.fetchSpec, {
       ...this.opts,
@@ -184,7 +190,7 @@ class RegistryFetcher extends Fetcher {
               ), { code: 'EMISSINGSIGNATUREKEY' })
             }
 
-            const publishedTime = Date.parse(mani._time || NO_TIME_CUTOFF_TIME)
+            const publishedTime = Date.parse(mani._time || MISSING_TIME_CUTOFF)
             const validPublicKey = !publicKey.expires ||
               publishedTime < Date.parse(publicKey.expires)
             if (!validPublicKey) {