Hi, I just cloned and reassigned your bug about apt-get ignoring expired keys. apt-get forks gpgv to do the actual verification and that gives no indication of any expirey. So apt-get has no chance to detect and warn about such an event.
[EMAIL PROTECTED]:% sudo gpgv --keyring etc/apt/trusted.gpg var/lib/apt/lists/localhost_debian_dists_sid_Release.gpg var/lib/apt/lists/localhost_debian_dists_sid_Release gpgv: Signature made Tue Sep 2 18:08:46 2008 CEST using RSA key ID F583D700 gpgv: Good signature from "Tester (test key) <[EMAIL PROTECTED]>" [EMAIL PROTECTED]:/% sudo gpg --keyring etc/apt/trusted.gpg --verify var/lib/apt/lists/localhost_debian_dists_sid_Release.gpg var/lib/apt/lists/localhost_debian_dists_sid_Release gpg: WARNING: unsafe ownership on configuration file `/home/mrvn/.gnupg/gpg.conf' gpg: Signature made Tue Sep 2 18:08:46 2008 CEST using RSA key ID F583D700 gpg: Good signature from "Tester (test key) <[EMAIL PROTECTED]>" gpg: Note: This key has expired! Primary key fingerprint: 317C B6A2 20E3 D9DF BE98 0264 1E34 EFC0 F583 D700 [EMAIL PROTECTED]:/% echo $? 0 Note that gpg does not fail the signature just because it has expired, even if the signature is made after the expirey date of the key. The signature was made when the key was still valid s it gets accepted. MfG Goswin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]