The pedantic answer to your question is: when gcc-9.3.0 was released, the key was not yet expired:
$ gpg --verify gcc-9.3.0.tar.gz.sig gcc-9.3.0.tar.gz
gpg: Signature made Thu 12 Mar 2020 07:32:47 AM EDT
gpg: using DSA key A328C3A2C3C45C06
The signature was made in March 2020, but the key expired in September 2020:
gpg --list-keys A328C3A2C3C45C06
pub dsa1024/A328C3A2C3C45C06 2004-04-21 [SC] [expired: 2020-09-10]
33C235A34C46AA3FFB293709A328C3A2C3C45C06
So, the fact that it’s expired now is not a cause for concern.
What is the cause for concern is that it’s a 1024/DSA key, which is probably not considered sufficiently strong these days. However, I can also see that the author has a newer key created in May, 2020:
pub rsa4096/6C35B99309B5FA62 2020-05-28 [SC]
D3A93CAD751C2AF4F8C7AD516C35B99309B5FA62
So, perhaps the next release of gcc will be signed with this key instead.
