If I sign a git commit with an OpenPGP key that has an expiration date, what does that mean for people looking at that commit after the expiration date? Should all keys used for commit signing like this be permanent?
What if the verifying party have a new key from me? Or just my old? Or both?
I'm new to OpenPGP in general, especially in relation to signing git commits.
OpenPGP's expiration date only indicates "this key should not be used after a given date", but does not render a key useless: the math still works fine.
If I sign a Git commit with a PGP key that has an expiration date, what does that mean for people looking at that commit after the expiration date?
When verifying signatures, OpenPGP implementations will compare the expiry date with the date the signature was issued. If the signature was issued within the expiration period, you're fine. If not, it will issue a warning (something like "the signature was fine, but issued after expiration).
What if the verifying party have a new key from me? Or just my old? Or both?
If they have your old key, they can verify signatures issued by your old key. For your new key, they can verify those issued by your new key. If they have both, they can verify both.
Should all keys used for commit signing like this be permanent?
Be aware that the expiration date does not really add up any security, as it can be changed arbitrarily as long as you have control over the secret primary key. Also, the signature date can be set arbitrarily, it is written by the OpenPGP implementation used for creating the signature; an attacker might just set a faked system time. I discussed the security of the expiration date in detail on the Information Security sister site in the question "Does OpenPGP key expiration add to security?".
Using an expiry date is fine if you want to indicate the key will not be used after a given time, but do not consider it a security feature. Lots of people with advanced OpenPGP key usage have a primary key with no expiry date and regularly escrow subkeys, which they issue with a limited validity period.
Creating new primary keys means others must validate your new key again. The primary key is the common trust anchor in OpenPGP, and creating a new one means losing all trust/certifications.