apt-add-repository validates that the key that was downloaded is the right one before importing it, it doesn't blindly trust the key that gpg downloaded from the keyserver.
This is wishlist simply because it's security hardening. I will include it in the next gnupg security upload. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1409117 Title: GPG does not verify keys received when using --recv-keys leaving communicaiton with key servers vulnerable to MITM To manage notifications about this bug go to: https://bugs.launchpad.net/gnupg/+bug/1409117/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
