As you have figured out, the message comes from dpkg while unpacking.
dpkg uses his own keyrings for it and adding something like '--require-
valid-signature' will make it hard for users to work with third-party
archives as a key for the maintainer is usually not installed (and is in
general a different one to the keys apt uses. APT has keys to verify the
complete archive, the sources packages are signed with the key of the
maintainer)
But we don't need this, the downloaded files are as usually checked by
apt with the checksums provided in Sources index. So we already know
though our usual trustpath that the files are okay. So what we could
actually do is disable this check by dpkg, but additional checks aren't
bad in case the needed keyrings are installed (no, we can't know that
beforehand, so we can't disable it 'on-demand').
I am therefore setting it to 'invalid' as there is no security problem
involved and i don't see a good way to disable this message from dpkg.
** Changed in: apt (Ubuntu)
Status: Triaged => Invalid
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/939322
Title:
apt-get source ignores missing key
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/939322/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
