Comment 2 for bug 410745

Personally, I don't use the fingerprints shown by Launchpad as a way of verifying the keys. As you indirectly point out, if someone's managed to substitute his own key for the official PPA key on Launchpad's servers, it will dutifully hand me the fingerprint of the fake key. That's what GPG key signatures are designed for -- to provide a second source, via a different channel, of authenticating the key you just received.

Now, as you correctly point out, if I sign the PPA key, it adds little to the key's trust. You don't know me from Adam, and you have no particular reason to trust me. For all you know, I'm in cahoots with an attacker, knowingly signing a fake key in the hopes of fooling others into trusting it, downloading Trojaned software, and having their machines compromised.

What this hypothetical attacker can NOT do, though, is get the signatures of the Bazaar maintainers on his fake key. Their signature(s) on the PPA key would add a lot more trust. They're the ones creating the packages in the first place, so you're already trusting them with your computer's security when you install the packages they created. (In other words, if they're in cahoots with the hypothetical attacker, you've already been compromised). Therefore if they were to give their official "stamp of approval" on the PPA signing key by signing it with their own keys, I'd be confident that it's genuine.

Perhaps I'm being over-cautious here, guarding against a very improbable attack scenario. But the minute I type "sudo apt-key add XYZ", I'm allowing any package signed by key XYZ to be installed on my computer without any further prompting. Before I do that, I'd at least like to *know* that key XYZ wasn't created ten minutes ago by J. Random Hacker working in the basement lab of Dr. Evil's lair. :-) Checking the fingerprint provided by Launchpad can't prove that to me, but checking a GPG signature (or ten) by the member(s) of the official Bazaar team can prove it.