Bug#934076: apt: EXPKEYSIG shouldn't trigger for updated key

[timeless <timeless@gmail.com>]

Package: apt

Version: 1.8.2

Tags: minor

I had manually used 

```

apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 96B3EE5F29111145 || curl "https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x96B3EE5F29111145" | apt-key add -

```

(For reference, the equivalent content is available from: https://github.com/Security-Onion-Solutions/securityonion-saltstack/blob/9885e188a10e30088813c32270f05f7583875619/so-setup-network.sh#L638-L689 )

which adds a key to `/etc/apt/trusted.gpg` -- I did this a while ago.

The key I had for this has expired:

```

apt-get update

...

Err:11 https://packages.wazuh.com/3.x/apt stable InRelease

  The following signatures were invalid: EXPKEYSIG 96B3EE5F29111145 Wazuh.com (Wazuh Signing Key) <support@wazuh.com>

```

** It would have been somewhat helpful if the message said "expired" instead of "invalid".

I went and checked (or could have checked):

```

apt-key list

/etc/apt/trusted.gpg

--------------------

...

pub   rsa4096 2016-08-01 [SC] [expired: 2019-08-01]

      0DCF CA55 47B1 9D2A 6099  5060 96B3 EE5F 2911 1145

uid           [ expired] Wazuh.com (Wazuh Signing Key) <support@wazuh.com>

...

```

I ran:

```

curl https://packages.wazuh.com/key/GPG-KEY-WAZUH | sudo tee /etc/apt/trusted.gpg.d/wazuh.asc

apt-get update

```

And I still got a complaint about EXPKEYSIG for 96B3EE5F29111145

```

apt-key list

/etc/apt/trusted.gpg

--------------------

...

pub   rsa4096 2016-08-01 [SC] [expired: 2019-08-01]

      0DCF CA55 47B1 9D2A 6099  5060 96B3 EE5F 2911 1145

uid           [ expired] Wazuh.com (Wazuh Signing Key) <support@wazuh.com>

...

/etc/apt/trusted.gpg.d/wazuh.asc

--------------------------------

pub   rsa4096 2016-08-01 [SC] [expires: 2027-05-15]

      0DCF CA55 47B1 9D2A 6099  5060 96B3 EE5F 2911 1145

uid           [ unknown] Wazuh.com (Wazuh Signing Key) <support@wazuh.com>

sub   rsa4096 2016-08-01 [E] [expires: 2027-05-15]

```

Expected results:

If a key exists twice, once w/ an old expiry, and once w/ a newer expiry, accept the newer expiry.

Alternatively, if a key exists twice, w/ different expiries and apt really doesn't want to deal w/ it, it should explain about the mismatch (apt-key list didn't complain that I had two keys for the same key w/ different expiration dates).

For reference, I can trigger it w/ deterministic file names like:

```

apt-key list

/etc/apt/trusted.gpg

--------------------

pub   rsa4096 2017-05-20 [SC] [expires: 2025-05-18]

      067E 3C45 6BAE 240A CEE8  8F6F EF0F 382A 1A7B 6500

uid           [ unknown] Debian Stable Release Key (9/stretch) <debian-release@lists.debian.org>

/etc/apt/trusted.gpg.d/000-wazuh-expired.asc

--------------------------------------------

pub   rsa4096 2016-08-01 [SC] [expired: 2019-08-01]

      0DCF CA55 47B1 9D2A 6099  5060 96B3 EE5F 2911 1145

uid           [ expired] Wazuh.com (Wazuh Signing Key) <support@wazuh.com>

pub   rsa4096 2016-08-01 [SC] [expires: 2027-05-15]

      0DCF CA55 47B1 9D2A 6099  5060 96B3 EE5F 2911 1145

uid           [ unknown] Wazuh.com (Wazuh Signing Key) <support@wazuh.com>

sub   rsa4096 2016-08-01 [E] [expires: 2027-05-15]

/etc/apt/trusted.gpg.d/001-wazuh-updated.asc

--------------------------------------------

pub   rsa4096 2016-08-01 [SC] [expires: 2027-05-15]

      0DCF CA55 47B1 9D2A 6099  5060 96B3 EE5F 2911 1145

uid           [ unknown] Wazuh.com (Wazuh Signing Key) <support@wazuh.com>

sub   rsa4096 2016-08-01 [E] [expires: 2027-05-15]

```

Note: it's possible to use `apt-key del 96B3EE5F29111145`, but this unfortunately also deleted my updated key, which was slightly frustrating.