Comment 68 for bug 24061

David Kalnischkies (donkult) wrote :

The idea is that even if the signature can't be checked (= key is not in the keyring) that we still use the Release file to decide which files to download (e.g. pdiffs/translations available?) and use the Hashsums for checking. The later doesn't provide a good trust path, but playing man-in-the-middle is a bit harder this way and we can detect download failures. The commits adding this should have some more reasons for it included (i don't have the source handy currently for quoting)

So what we should do is discard the (In)Release file in some cases (bad signature) and keep it in others (key not in keyring).