From 0820f84ce8111146f5aa79e88692b3257e22c4cf Mon Sep 17 00:00:00 2001
From: Giovanni Harting <539@idlegandalf.com>
Date: Sat, 25 Apr 2026 22:16:45 +0200
Subject: [PATCH] treat expired-key signatures as invalid

---
 package.go | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/package.go b/package.go
index 5e990b2..431f5d8 100644
--- a/package.go
+++ b/package.go
@@ -53,14 +53,22 @@ func (pkg Package) Arch() *string {
 	return &fNameSplit[0]
 }
 
-// HasValidSignature returns if package has valid detached signature file
+// HasValidSignature returns if package has valid detached signature file.
+// Signatures made with a now-expired key (EXPKEYSIG / KEYEXPIRED) or with an expired
+// signature timestamp (EXPSIG) are reported invalid even though gpg exits 0 for them.
 func (pkg Package) HasValidSignature() (bool, error) {
-	cmd := exec.Command("gpg", "--verify", string(pkg)+".sig") //nolint:gosec
+	cmd := exec.Command("gpg", "--verify", "--status-fd", "1", string(pkg)+".sig", string(pkg)) //nolint:gosec
 	res, err := cmd.CombinedOutput()
 	switch {
 	case cmd.ProcessState.ExitCode() == 2 || cmd.ProcessState.ExitCode() == 1:
 		return false, nil
 	case cmd.ProcessState.ExitCode() == 0:
+		s := string(res)
+		if strings.Contains(s, "[GNUPG:] EXPKEYSIG ") ||
+			strings.Contains(s, "[GNUPG:] KEYEXPIRED ") ||
+			strings.Contains(s, "[GNUPG:] EXPSIG ") {
+			return false, nil
+		}
 		return true, nil
 	case err != nil:
 		return false, fmt.Errorf("error checking signature: %w (%s)", err, res)