Hi, I just noted that the current implementation of srebuild [0] calls apt-get install with --force-yes which (as far as I remember) ignores signature verification errors.
HW42 [0]: https://anonscm.debian.org/cgit/reproducible/sbuild.git/tree/bin/srebuild-hook?h=pu/reproducible_builds#n110
signature.asc
Description: OpenPGP digital signature
