From a0be6f0829ab171ad2f9528413041ea32573e602 Mon Sep 17 00:00:00 2001
From: morganamilo <morganamilo@archlinux.org>
Date: Fri, 1 Aug 2025 07:46:23 +0100
Subject: [PATCH] libalpm: reimport expired keys

If the user does not update for a while some of the keys in the keyring
may expire. Pacman does not import new versions of these keys because
they are already in the keying. This leads to users needing to first
update archlinux-keyring to get the new keys.
---
 lib/libalpm/signing.c | 30 ++++++++++++++++++++----------
 1 file changed, 20 insertions(+), 10 deletions(-)

diff --git a/lib/libalpm/signing.c b/lib/libalpm/signing.c
index c6694e7b..19aeaa5a 100644
--- a/lib/libalpm/signing.c
+++ b/lib/libalpm/signing.c
@@ -233,9 +233,14 @@ int _alpm_key_in_keychain(alpm_handle_t *handle, const char *fpr)
 		_alpm_log(handle, ALPM_LOG_DEBUG, "key lookup failed, unknown key\n");
 		ret = 0;
 	} else if(gpg_err_code(gpg_err) == GPG_ERR_NO_ERROR) {
-		_alpm_log(handle, ALPM_LOG_DEBUG, "key lookup success, key exists\n");
-		handle->known_keys = alpm_list_add(handle->known_keys, strdup(fpr));
-		ret = 1;
+		if(key->expired) {
+			_alpm_log(handle, ALPM_LOG_DEBUG, "key lookup success, but key is expired\n");
+			ret = 0;
+		} else {
+			_alpm_log(handle, ALPM_LOG_DEBUG, "key lookup success, key exists\n");
+			handle->known_keys = alpm_list_add(handle->known_keys, strdup(fpr));
+			ret = 1;
+		}
 	} else {
 		_alpm_log(handle, ALPM_LOG_DEBUG, "gpg error: %s\n", gpgme_strerror(gpg_err));
 	}
@@ -268,7 +273,7 @@ static int key_import_wkd(alpm_handle_t *handle, const char *email, const char *
 	CHECK_ERR();
 
 	mode = gpgme_get_keylist_mode(ctx);
-	mode |= GPGME_KEYLIST_MODE_LOCATE;
+	mode |= GPGME_KEYLIST_MODE_LOCATE_EXTERNAL;
 	gpg_err = gpgme_set_keylist_mode(ctx, mode);
 	CHECK_ERR();
 
@@ -279,7 +284,7 @@ static int key_import_wkd(alpm_handle_t *handle, const char *email, const char *
 		if(fpr && _alpm_key_in_keychain(handle, fpr)) {
 			ret = 0;
 		} else {
-			_alpm_log(handle, ALPM_LOG_DEBUG, "key lookup failed: WKD imported wrong fingerprint\n");
+			_alpm_log(handle, ALPM_LOG_DEBUG, "key lookup failed: WKD imported wrong fingerprint or key expired\n");
 		}
 	}
 	gpgme_key_unref(key);
@@ -903,11 +908,6 @@ int _alpm_process_siglist(alpm_handle_t *handle, const char *identifier,
 		alpm_sigresult_t *result = siglist->results + i;
 		const char *name = result->key.uid ? result->key.uid : result->key.fingerprint;
 		switch(result->status) {
-			case ALPM_SIGSTATUS_KEY_EXPIRED:
-				_alpm_log(handle, ALPM_LOG_ERROR,
-						_("%s: key \"%s\" (%s) is expired\n"),
-						identifier, name, result->key.fingerprint);
-				break;
 			case ALPM_SIGSTATUS_VALID:
 				switch(result->validity) {
 					case ALPM_SIGVALIDITY_FULL:
@@ -934,6 +934,16 @@ int _alpm_process_siglist(alpm_handle_t *handle, const char *identifier,
 								identifier, name);
 						break;
 				}
+				break;
+			case ALPM_SIGSTATUS_KEY_EXPIRED:
+				_alpm_log(handle, ALPM_LOG_ERROR,
+						_("%s: key \"%s\" (%s) is expired\n"),
+						identifier, name, result->key.fingerprint);
+
+				if(_alpm_key_import(handle, result->key.uid, result->key.fingerprint) == 0) {
+					retry = 1;
+				}
+
 				break;
 			case ALPM_SIGSTATUS_KEY_UNKNOWN:
 				/* ensure this key is still actually unknown; we may have imported it