diff --git a/g10/ChangeLog b/g10/ChangeLog
index 015b78a65..0bf900aa1 100644
--- a/g10/ChangeLog
+++ b/g10/ChangeLog
@@ -1,3 +1,8 @@
+2001-11-26  David Shaw  <dshaw@jabberwocky.com>
+
+	* trustdb.c (mark_usable_uid_certs): Fix segfault from bad
+	initialization and fix reversed key signature expiration check.
+
 2001-11-09  Werner Koch  <wk@gnupg.org>
 
 	* export.c (do_export_stream): Put all given names into a search
diff --git a/g10/trustdb.c b/g10/trustdb.c
index ec80329c6..fae540f57 100644
--- a/g10/trustdb.c
+++ b/g10/trustdb.c
@@ -995,7 +995,7 @@ mark_usable_uid_certs (KBNODE keyblock, KBNODE uidnode,
                        u32 curtime, u32 *next_expire)
 {
   KBNODE node;
-  PKT_signature *sig = node->pkt->pkt.signature;
+  PKT_signature *sig;
   
   /* first check all signatures */
   for (node=uidnode->next; node; node = node->next)
@@ -1076,7 +1076,8 @@ mark_usable_uid_certs (KBNODE keyblock, KBNODE uidnode,
                     
           p = parse_sig_subpkt (sig->hashed, SIGSUBPKT_SIG_EXPIRE, NULL );
           expire = p? sig->timestamp + buffer_to_u32(p) : 0;
-          if ( expire < curtime )
+
+          if (expire==0 || expire > curtime )
             {
               signode->flag |= (1<<8); /* yeah, found a good cert */
               if (expire && expire < *next_expire)