[This message of sheer frustration is dedicated to PGP inc and the US
goverment]
I really don't know. I am tempting to suggest switching it off[1]. With
the new patch one can use mailcryptng to verify the signature, but
making sure that a failure realy indicates a fake index seems close to
impossible at the moment.
A prompt "Package signature validation failed. Continue?" seems like
asking for trouble to me.
Also, all these prompts can come at the weirdest moments (since the
package-get code gets invoked behind the users back sometimes).
sigh.
Jan
Footnotes:
[1] At least for 21.1.x until after a rethink.