tools/secretstore: fix gpg encryption for expired key

We also set --trust-model=always, as we explicitly ship GPG
fingerprints, so there's no need to rely on GPG's web of trust
shenanigans.

Change-Id: If2976130315c044f1d1727c61a6f6d489c876a52

tools/secretstore.py

@@ -49,6 +49,10 @@ keys = [
     "0879F9FCA1C836677BB808C870FD60197E195C26", # implr
 ]
 
+# Currently, Patryk's GPG key is expired. This hacks around that by pretending
+# it's January 2021.
+# TODO(q3k/patryk): remove this once Patryk updates his key.
+systime = '20210101T000000'
 
 _logger_name = __name__
 if _logger_name == '__main__':
@@ -61,7 +65,15 @@ class CLIException(Exception):
 
 
 def encrypt(src, dst):
-    cmd = ['gpg' , '--encrypt', '--armor', '--batch', '--yes', '--output', dst]
+    cmd = [
+        'gpg' , 
+        '--encrypt',
+        '--faked-system-time', systime,
+        '--trust-model', 'always',
+        '--armor',
+        '--batch', '--yes',
+        '--output', dst,
+    ]
     for k in keys:
         cmd.append('--recipient')
         cmd.append(k)
@@ -80,7 +92,7 @@ def _encryption_key_for_fingerprint(fp):
     Returns the encryption key ID for a given GPG fingerprint (eg. one from the
     'keys' list.
     """
-    cmd = ['gpg', '-k', '--keyid-format', 'long', fp]
+    cmd = ['gpg', '-k', '--faked-system-time', systime, '--keyid-format', 'long', fp]
     res = subprocess.check_output(cmd).decode()
 
     # Sample output: