From c7339f6f781468494d96e27c5c856fc72a4ed084 Mon Sep 17 00:00:00 2001
From: Daniel Huigens <d.huigens@protonmail.com>
Date: Mon, 10 Dec 2018 16:34:44 +0100
Subject: [PATCH] Check whether signing key was non-expired at signature
 creation time

---
 src/message.js | 20 ++++++++++++++------
 1 file changed, 14 insertions(+), 6 deletions(-)

diff --git a/src/message.js b/src/message.js
index 7a6b4b5f..d8818616 100644
--- a/src/message.js
+++ b/src/message.js
@@ -614,12 +614,14 @@ Message.prototype.verifyDetached = function(signature, keys, date=new Date()) {
  * @async
  */
 async function createVerificationObject(signature, literalDataList, keys, date=new Date()) {
-  let keyPacket = null;
+  let primaryKey = null;
+  let signingKey = null;
   await Promise.all(keys.map(async function(key) {
     // Look for the unique key that matches issuerKeyId of signature
     const result = await key.getSigningKey(signature.issuerKeyId, null);
     if (result) {
-      keyPacket = result.keyPacket;
+      primaryKey = key;
+      signingKey = result;
     }
   }));
 
@@ -627,13 +629,19 @@ async function createVerificationObject(signature, literalDataList, keys, date=n
   const verifiedSig = {
     keyid: signature.issuerKeyId,
     verified: (async () => {
-      if (!keyPacket) {
+      if (!signingKey) {
         return null;
       }
-      const verified = await signature.verify(keyPacket, signature.signatureType, literalDataList[0]);
+      const verified = await signature.verify(signingKey.keyPacket, signature.signatureType, literalDataList[0]);
       const sig = await signaturePacket;
-      if (sig.isExpired(date)) {
-        return false;
+      if (sig.isExpired(date) || !(
+        sig.created >= signingKey.getCreationTime() &&
+        sig.created < await (signingKey === primaryKey ?
+          signingKey.getExpirationTime() :
+          signingKey.getExpirationTime(primaryKey, date)
+        )
+      )) {
+        return null;
       }
       return verified;
     })(),