Introduce acceptableCert

Finally, only create the verifier based on an actually acceptable certificate,
instead of creating it first and then hoping not to forget to validate preconditions.

Signed-off-by: Miloslav Trmač <mitr@redhat.com>

pkg/cosign/verify.go

@@ -762,8 +762,9 @@ func verifyInternal(ctx context.Context, untrustedSignature oci.Signature, h v1.
 				return false, fmt.Errorf("checking expiry on cert: %w", err)
 			}
 		}
+		acceptableCert := certWithUnverifiedExpiry
 
-		verifier, err = verifierFromTrustedCertificate(certWithUnverifiedExpiry)
+		verifier, err = verifierFromTrustedCertificate(acceptableCert)
 		if err != nil {
 			return false, err
 		}