A few remarks:
- For now the users are just informed about the upcoming expiration of certificates used in the Sign/Encrypt dialog. There is no button to act or get further information what to do about it.
- Expiration of issuer certificates are ignored. If a leaf certificate gets invalid as soon as any certificate in the issuer chain expires, then it may make more sense to treat this as expiration of the leaf certificate since that's effectively what happens. On the other hand, if the expiration of certificates in the issuer chain have no effect on the validity of the leaf certificate (because at the time the leaf certificate was certified the chain was valid), then, in my opinion, it makes little sense to bother the users with the expiration of chain certificates.
- I took over the default values that are also used by KMail and that seem to be the recommended default by SPHINX (according to the comments for the settings in KMail).
- I decided to save/load the thresholds from a shared configuration file (kleo-expirycheckerrc), but to keep the setting whether to show expiry notifications as per-application setting.