Comment 4 for bug 1825239

I have verified the authenticity of ubuntu-esm-v2-keyring.gpg by this method:

$ gpg --no-default-keyring --keyring ./keyrings/ubuntu-esm-v2-keyring.gpg --list-keys
gpg: please do a --check-trustdb
./keyrings/ubuntu-esm-v2-keyring.gpg
------------------------------------
pub 4096R/4067E40313CB4B13 2019-04-17
uid Ubuntu Extended Security Maintenance Automatic Signing Key v2 <email address hidden>
sub 4096R/349F0F98EF1B9BA3 2019-04-17

 gpg --no-default-keyring --keyring ./keyrings/ubuntu-esm-v2-keyring.gpg --verify /var/lib/apt/lists/esm.ubuntu.com_ubuntu_dists_trusty-security_Release{.gpg,}
gpg: Signature made Thu Apr 18 18:15:02 2019 UTC
gpg: using RSA key 4067E40313CB4B13
gpg: please do a --check-trustdb
gpg: Good signature from "Ubuntu Extended Security Maintenance Automatic Signing Key v2 <email address hidden>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 56F7 650A 24C9 E9EC F87C 4D8D 4067 E403 13CB 4B13
$

/var/lib/apt/lists/esm.ubuntu.com_ubuntu_dists_trusty-security_Release{.gpg,} were downloaded by apt via https. The esm.ubuntu.com https endpoint is secured with a certificate issued by cn=Let's Encrypt Authority X3, a CA we have a high degree of confidence in (and is not issued by a random other CA that might have been compromised elsewhere).

This is enough for now.