tuf: allow missing expiries in key validity period

tnytown · tnytown · commit f25a78c142ca · 2023-03-12T12:48:21.000-05:00
diff --git a/sigstore/_internal/tuf.py b/sigstore/_internal/tuf.py
@@ -110,7 +110,7 @@ def _timerange_valid_for_status(period: TimeRange | None, status: KeyStatus) ->
         return False
 
     # If we want Expired keys, we don't care. Otherwise, check that we are within range.
-    return status == KeyStatus.Expired or (period.end is not None and now < period.end)
+    return status == KeyStatus.Expired or (period.end is None or now < period.end)
 
 
 class TrustUpdater:
@@ -318,13 +318,10 @@ def get_fulcio_certs(self) -> list[Certificate]:
                     ]
                 )
         else:
-            certs = [
-                load_pem_x509_certificate(c)
-                for c in self._get(
-                    KeyUsage.Fulcio, [KeyStatus.Active, KeyStatus.Expired]
-                )
-            ]
-
+            certs = (
+                self._get(KeyUsage.Fulcio, [KeyStatus.Active, KeyStatus.Expired]) or []
+            )
+            certs = [load_pem_x509_certificate(c) for c in certs]
         if not certs:
             raise MetadataError("Fulcio certificates not found in TUF metadata")
         return certs
