Thanks for copying generated response, @renancvitor

I'd like to clarify [even more than above] few bits.

You are not missing anything on your side.

But I'm. I'm missing updated key on my side.

OpenPGP keys are immutable. Once a key expires, it cannot be extended retroactively in a way that helps already published signatures.

One can edit key and new signature packet can bear new expiration time.

Keyservers will only distribute keys that the owner has explicitly uploaded.

It does not have to be the owner.

If no newer key exists on the servers you listed, it means the maintainer has not published a replacement key there.

It rather means noone has published it.

1. The maintainer must generate a new signing key (or a new subkey).

No.

4. Optionally, the old key should be revoked or cross-signed to establish continuity of trust.

No.

What cannot be fixed:

Existing artifacts signed with the expired key cannot be “repaired” without being re-released and re-signed.

No. The published signature CAN be "repaired" (without being modified) by publishing updated key. Following verification will be fine then.

Users cannot obtain an updated version of the same key unless the maintainer publishes it.

So the same key can be updated after all? Yes!

That's what I'd like to see here.

So the correct resolution is indeed for the project maintainer to publish a new signing key and use it for future releases. Until then, consumers must either accept the expired key (if policy allows) or treat the artifact as unverifiable.

No. The correct resolution would be to publish updated key (which I suppose already happened at the place where artifacts are being signed). This updated version most probably is available where the secret key is, but it's possible it was distributed to other parties using some other [than public keyserver] channel.

Sorry about that, you're right.