Comment 47 for bug 125103

The fundamental failure of the per-archive signing key system is that the PPA uploader does not control the secret key used to sign the packages. In the event of any compromise of launchpad, a very large number keys could be disclosed. While presumably these could all be revoked, reissueing that many keys adds significantly to key pollution in the web or trust.

Aside from possible issues with having secret keys hosted in a centralised location, traditionally each identity registered for a key has been associated with an email address, and many GPG users have developed the assumption that sending an encrypted email to a given identity will allow the recipient to read the message. In the absence of direct control of the secret key, the PPA uploader will be unable to read these messages, which may result in frustration or reduced trust for some communications.

Additionally, it is very much worth considering the case of team PPAs: how are these keys to be generated or applied? How are identities to be defined? Who would sign them?

Note that I am not advocating the case for a single key to sign all PPA archives, but rather just pointing out some of the complications with the per-archive key model. Both are suboptimal, for different reasons.