Hi, on Vdsm packages downloaded from
http://resources.ovirt.org/pub/ovirt-4.0/src/vdsm/ :
% gpg --verify vdsm-4.18.13.tar.gz.sig
gpg: assuming signed data in 'vdsm-4.18.13.tar.gz'
gpg: Signature made Wed 14 Sep 2016 04:38:26 PM CEST using RSA key ID FE590CB7
gpg: Good signature from "oVirt <infra(a)ovirt.org>" [expired]
gpg: Note: This key has expired!
Primary key fingerprint: 31A5 D783 7FAD 7CB2 86CD 3469 AB8C 4F9D FE59 0CB7
% gpg --list-keys infra(a)ovirt.org
pub 2048R/FE590CB7 2014-03-30 [expired: 2016-04-02]
uid [ expired] oVirt <infra(a)ovirt.org>
Either I download fake packages signed with a cracked expired key, or
you sign the packages with an expired key. Not good in any case.