Move the acceptableRFC3161Time enforcement logic a bit

Should not change behavior, just to prepare a further move Signed-off-by: Miloslav Trmač <mitr@redhat.com>
sigstore · Nov 25, 2022 · eb1f060 · eb1f060
1 parent 3b21d42
commit eb1f060
Showing 1 changed file with 11 additions and 10 deletions.
diff --git a/pkg/cosign/verify.go b/pkg/cosign/verify.go
@@ -710,19 +710,20 @@ func verifyInternal(ctx context.Context, untrustedSignature oci.Signature, h v1.
 		if acceptableRFC3161Timestamp != nil {
 			bundleVerified = true
 			acceptableRFC3161Time = &acceptableRFC3161Timestamp.Time
+		}
+	}
 
-			cert, err := untrustedSignature.Cert()
-			if err != nil {
-				return false, err
-			}
-			if cert != nil {
-				// Verify the cert against the integrated time.
-				if err := CheckExpiry(cert, *acceptableRFC3161Time); err != nil {
-					return false, fmt.Errorf("checking expiry on cert: %w", err)
-				}
-			}
+	cert, err := untrustedSignature.Cert()
+	if err != nil {
+		return false, err
+	}
+	if cert != nil && acceptableRFC3161Time != nil {
+		// Verify the cert against the integrated time.
+		if err := CheckExpiry(cert, *acceptableRFC3161Time); err != nil {
+			return false, fmt.Errorf("checking expiry on cert: %w", err)
 		}
 	}
+
 	if !co.SkipTlogVerify {
 		// 2. Check the validity time of the signature.
 		// This is the signature creation time. As a default upper bound, use the current