timestamp-server-url flag & the signing config

[hostalp]

Question
I see that after #4458 deprecated the --tlog-upload flag, a detailed description is printed when this flag is used with the signing config (which is the default now):
cosign sign --key cosign.key --tlog-upload=false ...

Flag --tlog-upload has been deprecated, prefer using a --signing-config file with no transparency log services
Error: --tlog-upload=false is not supported with --signing-config or --use-signing-config. Provide a signing config with --signing-config without a transparency log service, which can be created with cosign signing-config create or curl https://raw.githubusercontent.com/sigstore/root-signing/refs/heads/main/targets/signing_config.v0.2.json | jq 'del(.rekorTlogUrls)' for the public instance
error during command execution: --tlog-upload=false is not supported with --signing-config or --use-signing-config. Provide a signing config with --signing-config without a transparency log service, which can be created with cosign signing-config create or curl https://raw.githubusercontent.com/sigstore/root-signing/refs/heads/main/targets/signing_config.v0.2.json | jq 'del(.rekorTlogUrls)' for the public instance

However when the --timestamp-server-url flag is used similarly. not very useful explanation is given in the error message:
cosign sign --key cosign.key --timestamp-server-url https://freetsa.org/tsr ...

Error: cannot specify service URLs and use signing config
error during command execution: cannot specify service URLs and use signing config

Which also means that what's described here is now broken:
https://docs.sigstore.dev/cosign/verifying/timestamps/#using-signed-timestamps-in-cosign

If it's intended to disallow the timestamp-server-url flag when a signing config is used, shouldn't the description be more detailed as well? And docs updated to reflect the current state of things?

[hostalp]

By the way, how to use a 3rd party timestamp server with the new bundle format & signature config? It doesn't appear to be well documented.

While the old way works, for example:
cosign sign --key=cosign.key --timestamp-server-url=http://timestamp.digicert.com --new-bundle-format=false --use-signing-config=false --tlog-upload=false <image-ref>

When trying to convert things to the new format, it fails:
cosign signing-config create --tsa=url=http://timestamp.digicert.com,api-version=1,start-time=2025-07-04T00:00:00Z,operator=digicert.com --tsa-config=ANY --out=sigconfig.json
cosign sign --key=cosign.key --signing-config=sigconfig.json <image-ref>

Signing artifact... \ Error: signing [<image-ref>]: signing digest: signing bundle: error signing bundle: failed to verify timestamps: threshold not met for verified signed timestamps: 0 < 1; error: unable to verify signed timestamps: error while verifying with chain: pkcs7: No certificate for signer
error during command execution: signing [<image-ref>]: signing digest: signing bundle: error signing bundle: failed to verify timestamps: threshold not met for verified signed timestamps: 0 < 1; error: unable to verify signed timestamps: error while verifying with chain: pkcs7: No certificate for signer

What am I missing?