Comment 5 for bug 1360582

I think the correct fix is as follows:

 * PackageKit has a transaction flag on the InstallFiles method for whether it's allowed to install unsigned files. We should certainly honour that, and return one of the values accepted by pk_backend_job_error_code_is_need_untrusted, then I believe that pkcon will fall back to trying the transaction in allow-unsigned mode.
 * We need to figure out how to allow untrusted installations via pkcon from the command line but not from the scope. I think it may be possible to do something with PolicyKit here. Sadly the scope uses InstallFiles rather than InstallPackages, or else it would be relatively trivial. I haven't had a chance to figure this out in detail, but note that click/pk-plugin/pk-plugin-click.c:pk_plugin_transaction_get_action accepts the "org.freedesktop.packagekit.package-install-untrusted" action.

If you really need to revert anything for now, then please don't revert the whole thing. Rather, just revert r499 from lp:click/devel (that is, reinstate r497). That way we'll keep the signing framework in general, packages that are signed with an invalid signature will still be rejected, and we'll have less work to put things back later.