From ad27e8f41bc4c5e5b79e5fc8327aba38e126b8d0 Mon Sep 17 00:00:00 2001
From: Werner Koch <wk@gnupg.org>
Date: Thu, 17 Dec 2009 17:55:43 +0000
Subject: [PATCH] Fix bug#1059 (missing status line signature verification done
 with a subkey while on the main key has expired).

---
 g10/ChangeLog   | 3 +++
 g10/sig-check.c | 6 +++++-
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/g10/ChangeLog b/g10/ChangeLog
index e0db8d0c2..38d6eeed6 100644
--- a/g10/ChangeLog
+++ b/g10/ChangeLog
@@ -1,5 +1,8 @@
 2009-12-17  Werner Koch  <wk@g10code.com>
 
+	* sig-check.c (do_check_messages): Evaluate the HAS_EXPIRED flag.
+	Fixes bug#1059.
+
 	* gpg.c: Add new option --faked-system-time.
 
 2009-12-15  Werner Koch  <wk@g10code.com>
diff --git a/g10/sig-check.c b/g10/sig-check.c
index c415703f7..1feac3862 100644
--- a/g10/sig-check.c
+++ b/g10/sig-check.c
@@ -229,7 +229,11 @@ do_check_messages( PKT_public_key *pk, PKT_signature *sig,
 	  return G10ERR_TIME_CONFLICT;
       }
 
-    if( pk->expiredate && pk->expiredate < cur_time ) {
+    /* Check whether the key has expired.  We check the has_expired
+       flag which is set after a full evaluation of the key (getkey.c)
+       as well as a simple compare to the current time in case the
+       merge has for whatever reasons not been done.  */
+    if( pk->has_expired || (pk->expiredate && pk->expiredate < cur_time)) {
         char buf[11];
         if (opt.verbose)
 	  log_info(_("NOTE: signature key %s expired %s\n"),