Hi > The idea here is that a repo with an expired key (think e.g. buster) > should not be used even if that repo was correctly signed back in the > day as the data the key signed is sort of expired by now, too.
If this is a desired property, shouldn't there rather be an expiration date set on the signature? See: https://docs.rs/sequoia-openpgp/latest/sequoia_openpgp/packet/signature/struct.Signature6.html#method.signature_validity_period //Alex
