From b06385069b10e774d13a935a90068f5f027ec2c9 Mon Sep 17 00:00:00 2001
From: Giovanni Harting <539@idlegandalf.com>
Date: Sat, 25 Apr 2026 22:23:26 +0200
Subject: [PATCH] drop KEYEXPIRED check to avoid overmatch on unrelated expired
 keys

---
 package.go | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/package.go b/package.go
index 431f5d8..0e1177a 100644
--- a/package.go
+++ b/package.go
@@ -54,8 +54,10 @@ func (pkg Package) Arch() *string {
 }
 
 // HasValidSignature returns if package has valid detached signature file.
-// Signatures made with a now-expired key (EXPKEYSIG / KEYEXPIRED) or with an expired
+// Signatures made with a now-expired key (EXPKEYSIG) or with an expired
 // signature timestamp (EXPSIG) are reported invalid even though gpg exits 0 for them.
+// KEYEXPIRED is intentionally not matched because GnuPG may emit it for unrelated
+// expired keys in the keyring, not just the signing key of this signature.
 func (pkg Package) HasValidSignature() (bool, error) {
 	cmd := exec.Command("gpg", "--verify", "--status-fd", "1", string(pkg)+".sig", string(pkg)) //nolint:gosec
 	res, err := cmd.CombinedOutput()
@@ -65,7 +67,6 @@ func (pkg Package) HasValidSignature() (bool, error) {
 	case cmd.ProcessState.ExitCode() == 0:
 		s := string(res)
 		if strings.Contains(s, "[GNUPG:] EXPKEYSIG ") ||
-			strings.Contains(s, "[GNUPG:] KEYEXPIRED ") ||
 			strings.Contains(s, "[GNUPG:] EXPSIG ") {
 			return false, nil
 		}