From: jkress@anexia.com   
      
   Package: apt   
   Version: 3.0.3   
      
   When a key for an apt repo expires the key will be still accepted by apt   
   I tested it by setting up an apt repo and created an expired key   
   Then i run apt update with the debugging option for sqv on apt 3.0.3:   
      
   $ apt -oDebug::Acquire::sqv=true update   
   Hit:1https://repos.example.com/deb stable InRelease   
   0% [Working]Setting SEQUOIA_CRYPTO_POLICY=/usr/share/apt/default-sequoia.config   
   Executing /usr/bin/sqv --keyring /etc/apt/keyrings/expired.gpg /   
   mp/apt.sig.rBMAZ6 /tmp/apt.data.d4Yp1h --policy-as-of 2027-2-10   
   sqv exited with status 0   
   Got GOODSIG 5D276A38B044FF63B56B08669B60EA63B19DD085   
   sqv succeeded   
   All packages are up to date.   
      
   When using the same repo with apt 2.6.1 you got the following error:   
      
   $ apt -oDebug::Acquire::gpgv=true update   
   Get:1https://repos.example.com/deb stable InRelease [1204 B]   
   0% [Working]inside VerifyGetSigners   
   Preparing to exec:  /usr/bin/apt-key --quiet --readonly --keyring   
   /etc/apt/keyrings/expired.gpg verify --status-fd 3 /tmp/apt.sig.VDLBNK   
   /tmp/apt.data.hS31kv   
   Read: [GNUPG:] NEWSIG   
   Read: [GNUPG:] KEY_CONSIDERED 5D276A38B044FF63B56B08669B60EA63B19DD085 0   
   Read: [GNUPG:] KEYEXPIRED 1770546861   
   Read: [GNUPG:] SIG_ID MCZNnca4nxaNt/A1F1XT6RADCbo 2026-02-03 1770114959   
   Read: [GNUPG:] KEY_CONSIDERED 5D276A38B044FF63B56B08669B60EA63B19DD085 0   
   Read: [GNUPG:] EXPKEYSIG 9B60EA63B19DD085 Repo Signing Key   
   Got EXPKEYSIG 9B60EA63B19DD085 Repo Signing Key !   
   Read: [GNUPG:] VALIDSIG 5D276A38B044FF63B56B08669B60EA63B19DD085 2026-02-03   
   1770114959 0 4 0 22 8 01 5D276A38B044FF63B56B08669B60EA63B19DD085   
   Got trusted VALIDSIG, key ID: 5D276A38B044FF63B56B08669B60EA63B19DD085   
   gpgv exited with status 0   
   Summary:   
      Good:   
      Valid: 5D276A38B044FF63B56B08669B60EA63B19DD085   
      Bad:   
      Worthless: EXPKEYSIG 9B60EA63B19DD085 Repo Signing Key   
      SoonWorthless:   
      NoPubKey:   
      Signed-By:   
      NODATA: no   
   Err:1https://repos.example.com/deb stable InRelease   
      The following signatures were invalid: EXPKEYSIG 9B60EA63B19DD085 Repo   
   Signing Key   
   Reading package lists... Done   
   W: GPG error:https://repos.example.com/deb stable InRelease: The following   
   signatures were invalid: EXPKEYSIG 9B60EA63B19DD085 Repo Signing   
   Key   
   E: The repository 'https://repos.example.com/deb stable InRelease' is not   
   signed.   
   N: Updating from such a repository can't be done securely, and is therefore   
   disabled by default.   
   N: See apt-secure(8) manpage for repository creation and user configuration   
   details.   
      
   I tested this on Debian 13 and debian 12 with the latest updates installed.   
      
      
      
      
        
      
          
        
        
       
Package: apt   
   Version: 3.0.3   
      
   When a key for an apt repo expires the key will be still accepted by apt   
   I tested it by setting up an apt repo and created an expired key   
   Then i run apt update with the debugging option for sqv on apt 3.0.3:   
      
   $ apt -oDebug::Acquire::sqv=true update   
   Hit:1 https://repos.example.com/deb stable InRelease   
   0% [Working]Setting SEQUOIA_CRYPTO_POLICY=/usr/share/apt/default-sequoia.config   
   Executing /usr/bin/sqv --keyring /etc/apt/keyrings/expired.gpg /   
   mp/apt.sig.rBMAZ6 /tmp/apt.data.d4Yp1h --policy-as-of 2027-2-10   
   sqv exited with status 0   
   Got GOODSIG 5D276A38B044FF63B56B08669B60EA63B19DD085   
   sqv succeeded   
   All packages are up to date.   
      
   When using the same repo with apt 2.6.1 you got the following error:   
      
   $ apt -oDebug::Acquire::gpgv=true update   
   Get:1 https://repos.example.com/deb stable InRelease [1204 B]   
   0% [Working]inside VerifyGetSigners   
   Preparing to exec:  /usr/bin/apt-key --quiet --readonly --keyring   
   /etc/apt/keyrings/expired.gpg verify --status-fd 3 /tmp/apt.sig.VDLBNK   
   /tmp/apt.data.hS31kv   
   Read: [GNUPG:] NEWSIG   
   Read: [GNUPG:] KEY_CONSIDERED 5D276A38B044FF63B56B08669B60EA63B19DD085 0   
   Read: [GNUPG:] KEYEXPIRED 1770546861   
   Read: [GNUPG:] SIG_ID MCZNnca4nxaNt/A1F1XT6RADCbo 2026-02-03 1770114959   
   Read: [GNUPG:] KEY_CONSIDERED 5D276A38B044FF63B56B08669B60EA63B19DD085 0   
   Read: [GNUPG:] EXPKEYSIG 9B60EA63B19DD085 Repo Signing Key <r   
   pos@example.com>   
   Got EXPKEYSIG 9B60EA63B19DD085 Repo Signing Key <repos@example.com> !   
   Read: [GNUPG:] VALIDSIG 5D276A38B044FF63B56B08669B60EA63B19DD085 2026-02-03   
   1770114959 0 4 0 22 8 01 5D276A38B044FF63B56B08669B60EA63B19DD085   
   Got trusted VALIDSIG, key ID: 5D276A38B044FF63B56B08669B60EA63B19DD085   
   gpgv exited with status 0   
   Summary:   
     Good:   
     Valid: 5D276A38B044FF63B56B08669B60EA63B19DD085   
     Bad:   
     Worthless: EXPKEYSIG 9B60EA63B19DD085 Repo Signing Key <rep   
   s@example.com>   
     SoonWorthless:   
     NoPubKey:   
     Signed-By:   
     NODATA: no   
   Err:1 https://repos.example.com/deb stable InRelease   
     The following signatures were invalid: EXPKEYSIG 9B60EA63B19DD085 Repo   
   Signing Key <repos@example.com>   
   Reading package lists... Done   
   W: GPG error: https://repos.example.com/deb stable InRelease: The   
   following signatures were invalid: EXPKEYSIG 9B60EA63B19DD085 Repo Signing Key   
   <repos@example.com>   
      
   [continued in next message]   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)