digital signature – gnu gcc source archives signed with expired GPG key?

The pedantic answer to your question is: when gcc-9.3.0 was released, the key was not yet expired:

$ gpg --verify gcc-9.3.0.tar.gz.sig gcc-9.3.0.tar.gz
gpg: Signature made Thu 12 Mar 2020 07:32:47 AM EDT
gpg:                using DSA key A328C3A2C3C45C06 

The signature was made in March 2020, but the key expired in September 2020:

gpg --list-keys A328C3A2C3C45C06
pub   dsa1024/A328C3A2C3C45C06 2004-04-21 [SC] [expired: 2020-09-10]
      33C235A34C46AA3FFB293709A328C3A2C3C45C06

So, the fact that it’s expired now is not a cause for concern.

What is the cause for concern is that it’s a 1024/DSA key, which is probably not considered sufficiently strong these days. However, I can also see that the author has a newer key created in May, 2020:

pub   rsa4096/6C35B99309B5FA62 2020-05-28 [SC]
      D3A93CAD751C2AF4F8C7AD516C35B99309B5FA62

So, perhaps the next release of gcc will be signed with this key instead.