Fix bug#1059 (missing status line signature verification done with a

subkey while on the main key has expired).

2 files changed, 11 insertions, 2 deletions

diff --git a/g10/ChangeLog b/g10/ChangeLog
index b848f2d0c..0f5c6417a 100644
--- a/g10/ChangeLog
+++ b/g10/ChangeLog
@@ -1,3 +1,8 @@
+2009-12-17  Werner Koch  <[email protected]>
+
+	* sig-check.c (do_check_messages): Evaluate the HAS_EXPIRED flag.
+	Fixes bug#1059.
+
 2009-12-15  Werner Koch  <[email protected]>
 
 	* tdbio.c (tdbio_set_dbname): Do not call log_fatal after creating
diff --git a/g10/sig-check.c b/g10/sig-check.c
index c415703f7..7677cc2fd 100644
--- a/g10/sig-check.c
+++ b/g10/sig-check.c
@@ -229,13 +229,17 @@ do_check_messages( PKT_public_key *pk, PKT_signature *sig,
 	  return G10ERR_TIME_CONFLICT;
       }
 
-    if( pk->expiredate && pk->expiredate < cur_time ) {
+    /* Check whether the key has expired.  We check the has_expired
+       flag which is set after a full evaluation of the key (getkey.c)
+       as well as a simple compare to the current time in case the
+       merge has for whatever reasons not been done.  */
+    if( pk->has_expired || (pk->expiredate && pk->expiredate < cur_time)) {
         char buf[11];
         if (opt.verbose)
 	  log_info(_("NOTE: signature key %s expired %s\n"),
 		   keystr_from_pk(pk), asctimestamp( pk->expiredate ) );
 	/* SIGEXPIRED is deprecated.  Use KEYEXPIRED. */
-	sprintf(buf,"%lu",(ulong)pk->expiredate);
+	snprintf (buf, sizeof buf,"%lu",(ulong)pk->expiredate);
 	write_status_text(STATUS_KEYEXPIRED,buf);
 	write_status(STATUS_SIGEXPIRED);
 	if(r_expired)