Comment 2 for bug 1013128

Ok, Michael, Marc and I looked at this a bit. If copy sec1.bin to /var/www/ubuntu-archive-keyring.gpg then update ARCHIVE_KEYRING_URI to have ARCHIVE_KEYRING_URI=http://localhost/ubuntu-archive-keyring.gpg, the key does not get updated on lucid/amd64. If I change the order as the report suggests, it is imported. Ie, I use this:
if $GPG_CMD --keyring $TMP_KEYRING --keyring $MASTER --check-sigs --with-colons $add_key | grep '^sig:!:' | cut -d: -f5 | grep -q $master_key; then

instead of:
if $GPG_CMD --keyring $MASTER --keyring $TMP_KEYRING --check-sigs --with-colons $add_key | grep '^sig:!:' | cut -d: -f5 | grep -q $master_key; then

At this point it needs to be verified that gpg will never internally reverse the order on all architectures. If it ever does, then this is a problem. If not, this attack would require an additional step (to update apt-key's code to reverse the order).