the keys in tests/openpgp/tofu-keys.asc all expire on 2016-09-17, less than
three months away.
This means that tofu.test will fail with:
Wrong default trust. Got: `e', expected `m'
in about 90 days.
We're already seeing this problem in debian's reproducible builds, where one
build is done with a clock that is advanced 398 days from the present.
(you can see that clock variations are the likely culprit:
I'm not sure the right way to deal with test keys like this so that the test
suite itself doesn't gratuitously fail just because the wall clock advances.
Maybe 10-year expirations would be sufficient, with a warning (not a failure)
that shows up in the test suite when the keys have less than 2 years left?