Comment 4 for bug 1016643

I don't think this bug is fixed. it looks to me like the keyserver operator (or anyone who can MITM the keyserver) can still inject arbitrary keys here.

/usr/share/pyshared/softwareproperties/ppa.py appears to run "apt-key adv --keyserver $whatever --recv $fingerprint"

and "apt-key adv" is just shelling out to gpg.

if your keyserver happens to return the wrong thing (whether by malice or by accident), it will still just get imported.

If you'd like to try, consider using the (absurdly low-fi) fake "keyserver" hkp://dkg.fifthhorseman.net:80/, which will always return my key, regardless of what keyid (or fingerprint) you request from it.

  add-apt-repository --keyserver hkp://dkg.fifthhorseman.net:80/ ppa:kernel-ppa/ppa