Just tonight I tried to update my portage snapshot by emerge-webrsync command and found out that the portage snapshot signing key expired again without being properly updated by app-crypt/gentoo-keys update before its expiration as described here: https://wiki.gentoo.org/wiki/Handbook:AMD64/Working/Features#Validated_Portage_tree_snapshots
On the other side, app-crypt/gkeys is marked by ~ in my architecture (amd64). So, it is impossible to update the portage snapshot signing key without using non-recommended package. The same situation happened just half a year ago. Is it only me who thinks that Gentoo must care more about security?