What to do about package-index signatures?

[This message of sheer frustration is dedicated to PGP inc and the US goverment] I really don't know. I am tempting to suggest switching it off[1]. With the new patch one can use mailcryptng to verify the signature, but making sure that a failure realy indicates a fake index seems close to impossible at the moment. A prompt "Package signature validation failed. Continue?" seems like asking for trouble to me. Also, all these prompts can come at the weirdest moments (since the package-get code gets invoked behind the users back sometimes). sigh. Jan Footnotes: [1] At least for 21.1.x until after a rethink.