Hi. OSes usually include all CA certificates (even expired). Windows also does it (I have CA expired in 1999 in win10).
User should have the ability to distinguish between invalid signatures and old/expired signatures. While the latter is an expected situation, the former is definitely fraud.
