Each new connection generates a new private key, so everything has to happens in the same connection.

Generating a script and spamming the "sign" endpoint shows that time is part of the signature:

```
message timestamp signature
a 1585995248 b59af637923b31002a8b6b59df1c6ffcf3fa7fff0313a979a0cc518358649fcb0aa7afc05fd75eb8a4603cc24c337653
b 1585995248 b59af637923b31002a8b6b59df1c6ffcf3fa7fff0313a979cdeb15f1ddd856928211f7f89c430e264a7ed9e391edcee6
c 1585995248 b59af637923b31002a8b6b59df1c6ffcf3fa7fff0313a97984cba674b371d209c0272b24d418c76db45cfa70c5c7900a
d 1585995248 b59af637923b31002a8b6b59df1c6ffcf3fa7fff0313a9798b67c925cb0ee62aa48561f18fe190b19e9784acc295f206
e 1585995248 b59af637923b31002a8b6b59df1c6ffcf3fa7fff0313a979e824a1cad77f2c3f10120a6a2b4a15a0e931afe38d16214e
f 1585995248 b59af637923b31002a8b6b59df1c6ffcf3fa7fff0313a9795fd43e71c8843aa7b59d1eeffed7a14c0a8f4ac904c4d6e8
g 1585995248 b59af637923b31002a8b6b59df1c6ffcf3fa7fff0313a979667049e750d8908469c77445ad2f90fdd87a12dd0e7eb4dc
h 1585995248 b59af637923b31002a8b6b59df1c6ffcf3fa7fff0313a979d93e8707910d21d098a261c5d188d3185db3144454a83f9a
i 1585995248 b59af637923b31002a8b6b59df1c6ffcf3fa7fff0313a979010ba2ab74b17ade095e2c7aa98438aea812c1e0419e8399
j 1585995249 b59af637923b31002a8b6b59df1c6ffcf3fa7fff0313a979b869d5f10b5565c2dbf9ba25c6ce5885441e933be09bb474
k 1585995249 50c1dc1656f9b049499061f11cce30f2cac3827a1cff41c722b2c959a848494d104d5596698e21e45034118d4c73cca2
l 1585995249 50c1dc1656f9b049499061f11cce30f2cac3827a1cff41c72de2ee727eb37c62add179aef8286fb34af72fa30697de3f
```

Guessing that they use ECDSA with curve NIST192p and SHA1 the following script can generate a forged signature:
https://github.com/NicolaiSoeborg/ctf-writeups/blob/master/2020/Midnightsun%20CTF%202020/Verifier2.py

Original writeup (https://github.com/NicolaiSoeborg/ctf-writeups/blob/master/2020/Midnightsun%20CTF%202020/Verifier2.py).