Currently, gpg selects the first key from a user's keyring if the name is used
rather than the key ID. This key selection process actually selects expired keys
in this scenario, because the self-signature is cryptographically valid. In
fact, I think it even prefers those expired keys, because they are older.
This not only makes key transitions very difficult, because you need to ask
people to delete from their key ring your expired key, or they will always be
provided with that key as their first choice (such as via mutt, or other MUAs),
but it raises a serious security concern as data is encrypted to incorrect keys
because gpg suggests that incorrect key.
I tried to add these comments to T1143 -
which seems related to this issue, but even after logging into the system, I
cannot edit/update bugs. That is a bug in itself. I understand that there is
some suggested fixes for the future, but it seems a long way off and that seems
unfortunate for something so problematic.