fix: support validating signatures generated with the time in the future

Now the validation code always validates it this point of time:
`Now + min( KeyLifetime / 2,  DefaultMaxSkew)`.

Signed-off-by: Artem Chernyshev <artem.chernyshev@talos-systems.com>

pkg/pgp/key.go

@@ -7,6 +7,7 @@ package pgp
 
 import (
 	"crypto"
+	"math"
 	"time"
 
 	"github.com/ProtonMail/go-crypto/openpgp"
@@ -59,7 +60,19 @@ func (p *Key) Verify(data, signature []byte) error {
 
 	sig := pgpcrypto.NewPGPSignature(signature)
 
-	return p.keyring.VerifyDetached(message, sig, pgpcrypto.GetUnixTime())
+	if p.keyring.VerifyDetached(message, sig, pgpcrypto.GetUnixTime()) == nil {
+		return nil
+	}
+
+	clockSkew := DefaultAllowedClockSkew.Seconds()
+
+	i := p.key.GetEntity().PrimaryIdentity()
+
+	if i.SelfSignature.KeyLifetimeSecs != nil {
+		clockSkew = math.Min(float64(*i.SelfSignature.KeyLifetimeSecs)/2, clockSkew)
+	}
+
+	return p.keyring.VerifyDetached(message, sig, pgpcrypto.GetUnixTime()+int64(clockSkew))
 }
 
 // Sign signs the given data using the private key.

pkg/pgp/key_test.go

@@ -35,6 +35,32 @@ func TestKeyFlow(t *testing.T) {
 	assert.Error(t, key.Verify(message, signature[:len(signature)-1]))
 }
 
+func TestTimeSkew(t *testing.T) {
+	start := time.Now()
+
+	key, err := pgp.GenerateKey("John Smith", "Linux", "john.smith@example.com", time.Hour)
+	require.NoError(t, err)
+
+	assert.True(t, key.IsPrivate())
+	assert.NoError(t, key.Validate())
+
+	message := []byte("Hello, World!")
+
+	signature, err := key.Sign(message)
+	require.NoError(t, err)
+
+	pgpcrypto.UpdateTime(start.Add(-time.Minute).Unix())
+
+	assert.NoError(t, key.Verify(message, signature))
+
+	pgpcrypto.UpdateTime(start.Add(time.Hour).Unix())
+
+	signature, err = key.Sign(message)
+	require.NoError(t, err)
+
+	assert.NoError(t, key.Verify(message, signature))
+}
+
 func genKey(t *testing.T, lifetimeSecs uint32, email string, now func() time.Time) *pgp.Key {
 	cfg := &packet.Config{
 		Algorithm:              packet.PubKeyAlgoEdDSA,