Comment 11 for bug 356012

Here is a proposed fix. It does the following:

 * recognize KEYEXPIRED and KEYREVOKED messages from gpgv and put them into a new "WorthlessSignatures " vector
 * only listen for GOODSIG message from gpgv and ignore VALIDSIG (as GOODSIG is only send when the signature is not with a expired or revoked key)
 * if there is no good signature, show a message that displayes the worthless signatures to the user (including the KEYEXPIRED or KEYREVSIG bits to ensure there is a way to know what is going on)
 * if there is one (or more) good signature and worthless signatures, just ignore the worthless ones

That should hopefully cover the problem without breaking strings and compatibility. Feedback/review/testing is very welcome. I tested it in a etch chroot with various expired settings and it works as it should, but I need to make a test-suit for it too. I will also pass it for review to debian.