The idea is that even if the signature can't be checked (= key is not in the keyring) that we still use the Release file to decide which files to download (e.g. pdiffs/translations available?) and use the Hashsums for checking. The later doesn't provide a good trust path, but playing man- in-the-middle is a bit harder this way and we can detect download failures. The commits adding this should have some more reasons for it included (i don't have the source handy currently for quoting)
So what we should do is discard the (In)Release file in some cases (bad signature) and keep it in others (key not in keyring). -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/24061 Title: GPG error with apt-get/aptitude/update-manager behind proxy (BADSIG 40976EAF437D05B5) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/24061/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
