I had imported Wladimir's public key in the past, but it's now expired. Tried to verify SHA256SUMS.asc, it did have a good signature.
$ gpg --verify SHA256SUMS.asc
gpg: Signature made Wed 29 Sep 2021 08:26:46 AM EEST
gpg: using RSA key 90C8019E36C2E964
gpg: Good signature from "Wladimir J. van der Laan (Bitcoin Core binary release signing key) <laanwj@gmail.com>" [expired]
gpg: Note: This key has expired!
I re-imported it, with the provided github link, and there wasn't a problem. That's the latest commit by laanwj:
Change the expiration to 2024. The key is no longer being used for new
releases, but letting it expire now would be inconvenient because there
may still be another 0.21.x release, and, people may still want to
verify older releases.
This should be enough for all releases signed with it to be EOL. After
that, it can be removed from the site completely.
I hope this does answer your last question.