For the Cygwin installer at work I've locked down setup to not accept nor read in extra keys and to always check the signatures (and exit when there is no signature present). Of course I've also changed the built-in key.
If there's general interest in such a modification I'd offer to develop that patch into a proper configure option. Also, the documentation of how to extract the key data has bit-rotted somewhat, I've been using the gpg to extract the key parameters. Regards, Achim. -- +<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+ Wavetables for the Terratec KOMPLEXER: http://Synth.Stromeko.net/Downloads.html#KomplexerWaves