make TSA validity end optional

sigstore/_internal/trust.py

@@ -253,7 +253,7 @@ def _verify(self) -> None:
             raise Error("missing a certificate in Certificate Authority")
 
     @property
-    def validity_period_start(self) -> datetime | None:
+    def validity_period_start(self) -> datetime:
         """
         Validity period start.
         """

sigstore/verify/verifier.py

@@ -150,26 +150,19 @@ def _verify_signed_timestamp(
 
             if (
                 certificate_authority.validity_period_start
-                and certificate_authority.validity_period_end
+                <= timestamp_response.tst_info.gen_time
+            ) and (
+                not certificate_authority.validity_period_end
+                or timestamp_response.tst_info.gen_time
+                < certificate_authority.validity_period_end
             ):
-                if (
-                    certificate_authority.validity_period_start
-                    <= timestamp_response.tst_info.gen_time
-                    < certificate_authority.validity_period_end
-                ):
-                    return TimestampVerificationResult(
-                        source=TimestampSource.TIMESTAMP_AUTHORITY,
-                        time=timestamp_response.tst_info.gen_time,
-                    )
-
-                _logger.debug(
-                    "Unable to verify Timestamp because not in CA time range."
-                )
-            else:
-                _logger.debug(
-                    "Unable to verify Timestamp because no validity provided."
+                return TimestampVerificationResult(
+                    source=TimestampSource.TIMESTAMP_AUTHORITY,
+                    time=timestamp_response.tst_info.gen_time,
                 )
 
+            _logger.debug("Unable to verify Timestamp because not in CA time range.")
+
         return None
 
     def _verify_timestamp_authority(

test/unit/verify/test_verifier.py

@@ -212,6 +212,16 @@ def test_verifier_verify_timestamp(self, verifier, asset, null_policy):
             null_policy,
         )
 
+    def test_verifier_no_validity_end(self, verifier, asset, null_policy):
+        verifier._trusted_root.get_timestamp_authorities()[
+            0
+        ]._inner.valid_for.end = None
+        verifier.verify_artifact(
+            asset("tsa/bundle.txt").read_bytes(),
+            Bundle.from_json(asset("tsa/bundle.txt.sigstore").read_bytes()),
+            null_policy,
+        )
+
     def test_verifier_without_timestamp(
         self, verifier, asset, null_policy, monkeypatch
     ):
@@ -241,24 +251,6 @@ def test_verifier_duplicate_timestamp(self, verifier, asset, null_policy):
                 null_policy,
             )
 
-    def test_verifier_no_validity(self, caplog, verifier, asset, null_policy):
-        verifier._trusted_root.get_timestamp_authorities()[
-            0
-        ]._inner.valid_for.end = None
-
-        with caplog.at_level(logging.DEBUG, logger="sigstore.verify.verifier"):
-            with pytest.raises(VerificationError, match="not enough timestamps"):
-                verifier.verify_artifact(
-                    asset("tsa/bundle.txt").read_bytes(),
-                    Bundle.from_json(asset("tsa/bundle.txt.sigstore").read_bytes()),
-                    null_policy,
-                )
-
-        assert (
-            "Unable to verify Timestamp because no validity provided."
-            == caplog.records[0].message
-        )
-
     def test_verifier_outside_validity_range(
         self, caplog, verifier, asset, null_policy
     ):