Ok, I may see three potential problems in dirmngr->validate.c->validate_cert_chain(), but it may also be my limited familiarity with the gnupg source.
- Here we leave the certificate validation loop at the first trusted root certificate, even if it is expired as we only mark this fact for later evaluation.
- Here we seem to only ever go up the chain, never sideways as is the case in the original patch for this bug.
- And probably most impactful, here we fail the whole validation if any of the previously checked certificates is expired, so that even if we would fix the second point by checking sibling certificates, we would still get an overall failure.