apt-add-repository validates that the key that was downloaded is the right one before importing it, it doesn't blindly trust the key that gpg downloaded from the keyserver.
This is wishlist simply because it's security hardening. I will include it in the next gnupg security upload. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to gnupg in Ubuntu. https://bugs.launchpad.net/bugs/1409117 Title: GPG does not verify keys received when using --recv-keys leaving communicaiton with key servers vulnerable to MITM Status in GNU Privacy Guard: Unknown Status in gnupg package in Ubuntu: Fix Released Status in gnupg2 package in Ubuntu: Fix Released Status in gnupg source package in Lucid: Confirmed Status in gnupg2 source package in Lucid: Confirmed Status in gnupg source package in Precise: Confirmed Status in gnupg2 source package in Precise: Confirmed Status in gnupg source package in Trusty: Confirmed Status in gnupg2 source package in Trusty: Confirmed Status in gnupg source package in Utopic: Confirmed Status in gnupg2 source package in Utopic: Fix Released Status in gnupg source package in Vivid: Fix Released Status in gnupg2 source package in Vivid: Fix Released Status in gnupg package in Debian: Unknown Bug description: The patch from http://bugs.gnupg.org/gnupg/issue1579 is critical and should be backported to 12.04; right now, it is not. This leaves 12.04 users of GPG2 vulnerable to MITM attacks on gpg2 --recv-keys. See https://evil32.com/ for an example (the text that is striked out; the gpg2 package on 12.04 is still vulnerable). To manage notifications about this bug go to: https://bugs.launchpad.net/gnupg/+bug/1409117/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
