openpgp: fix handling expired keys

exclude expired keys from the GoodKeys

Author: neolynx

pgp/internal.go

@@ -446,10 +446,11 @@ func (g *GoVerifier) VerifyClearsigned(clearsigned io.Reader, showKeyTip bool) (
 
 	for _, signer := range signers {
 		if signer.Entity != nil {
-			result.GoodKeys = append(result.GoodKeys, KeyFromUint64(signer.IssuerKeyID))
+			if !signer.IsExpired {
+				result.GoodKeys = append(result.GoodKeys, KeyFromUint64(signer.IssuerKeyID))
+			}
 		} else {
 			result.MissingKeys = append(result.MissingKeys, KeyFromUint64(signer.IssuerKeyID))
-
 		}
 	}
 

pgp/openpgp.go

@@ -40,6 +40,7 @@ func hashForSignature(hashID crypto.Hash, sigType packet.SignatureType) (hash.Ha
 
 type signatureResult struct {
 	CreationTime time.Time
+	IsExpired    bool
 	IssuerKeyID  uint64
 	PubKeyAlgo   packet.PublicKeyAlgorithm
 	Entity       *openpgp.Entity
@@ -59,6 +60,8 @@ func checkDetachedSignature(keyring openpgp.KeyRing, signed, signature io.Reader
 		return nil, 0, e
 	}
 
+	var now = time.Now()
+
 	packets := packet.NewReader(signature)
 	for {
 		p, err = packets.Next()
@@ -87,6 +90,9 @@ func checkDetachedSignature(keyring openpgp.KeyRing, signed, signature io.Reader
 			if sig.IssuerKeyId == nil {
 				return nil, 0, errors.StructuralError("signature doesn't have an issuer")
 			}
+			if sig.SigExpired(now) {
+				continue
+			}
 			issuerKeyID = *sig.IssuerKeyId
 			hashFunc = sig.Hash
 			sigType = sig.SigType
@@ -128,6 +134,7 @@ func checkDetachedSignature(keyring openpgp.KeyRing, signed, signature io.Reader
 			if err == nil {
 				signers = append(signers, signatureResult{
 					CreationTime: creationTime,
+					IsExpired:    key.PublicKey.KeyExpired(key.SelfSignature, now),
 					IssuerKeyID:  issuerKeyID,
 					PubKeyAlgo:   pubKeyAlgo,
 					Entity:       key.Entity,