I just noticed that Brave seems to update their signing keys quite regularly.
The one I had installed expired 2019-04-13.
The new one will expire 2019-08-08.
Actually, I guess it’s the same key, but refreshed.
Fingerprint is still D8BA D4DE 7EE1 7AF5 2A83 4B2D 0BB7 5829 C2D4 E821
So, if apt update fails to update the brave repository data with invalid signature, EXPKEYSIG, it’s no reason to worry. The command described in post #12 will refresh the key.
To be sure that nothing strange is going on, you can do it in multiple steps. Note that a different fingerprint is not necessarily malicious, but maybe is should be explained somewhere. At the very least, it should match with the fingerprints listed in the official installation docs.
# list all installed repository keys (with fingerprints and expiry dates)
apt-key list
# dowload current brave key, without directly installing it
curl -s https://brave-browser-apt-release.s3.brave.com/brave-core.asc > brave.asc
# examine downloaded key
gpg brave.asc
#install examined key
apt-key add brave.asc