diff --git a/.github/workflows/cron.yaml b/.github/workflows/cron.yaml
new file mode 100644
index 0000000..76809fb
--- /dev/null
+++ b/.github/workflows/cron.yaml
@@ -0,0 +1,38 @@
+# SPDX-FileCopyrightText: 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+#
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+---
+name: Cron
+
+# yamllint disable-line rule:truthy
+on:
+  # yamllint disable-line rule:empty-values
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+    types:
+      - opened
+      - reopened
+      - synchronize
+  schedule:
+    - cron: "0 0 15,30 * *"
+
+concurrency:
+  group: ci-${{ github.ref }}-10
+  cancel-in-progress: true
+
+jobs:
+  pgp-expiration-check:
+    strategy:
+      fail-fast: false
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: Discover keys that are expired or close to expiration date
+        run: scripts/pgp-expiration.sh $(find -type f -name "*.asc")
diff --git a/scripts/pgp-expiration.sh b/scripts/pgp-expiration.sh
new file mode 100755
index 0000000..739accd
--- /dev/null
+++ b/scripts/pgp-expiration.sh
@@ -0,0 +1,33 @@
+#!/bin/sh
+
+## SPDX-FileCopyrightText: 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+##
+## SPDX-License-Identifier: AGPL-3.0-or-later
+
+set -eu
+
+now="$(date +%s)"
+fail="0"
+for key in "${@}"; do
+  ## TODO: exit only after evaluating all subkeys, not on the first error.
+  gpg --no-keyring --no-auto-check-trustdb --no-autostart \
+  --with-colons --show-keys "${key}" |
+  awk -v key="${key}" -v now="${now}" -F ':' '/^(p|s)ub:/ {
+    if ($7=="") {
+      next
+    }
+    if ($7<now) {
+        print key ": expired:", $5 >"/dev/stderr";
+        exit 1
+    }
+    # 60 days
+    else if (($7-now)<(60*60*24*60)) {
+        print key ": expires soon:", $5 >"/dev/stderr";
+        exit 1
+    }
+  }' || fail="1"
+done
+
+if test "${fail}" = "1"; then
+  exit 1
+fi