https://bugs.winehq.org/show_bug.cgi?id=53356
--- Comment #18 from jkfloris@dds.nl --- This is less secure. As explained in Debian Bug 851774 [1]:
[quote] I think that extra repositories should *not* have their keys added to /etc/apt/trusted.gpg.d/*.gpg ("the fragment directory") by default, since that authorizes the extra key to make valid signatures for the main archive.
If the extra repo has its own key, it should be authorized to make signatures only for the extra repo, and nothing else (similarly, the official debian archive keys *shouldn't* be authorized to make signatures for the extra repo).
So if we're talking about adding extra repositories for a debian stretch installer, as i said over on #853858:
for Debian 9 ("stretch") and later, you should place these keys (in binary form) someplace within /usr/local/share/keyrings/ and add a "Signed-By:" option to the relevant apt sources (see sources.list(5)). [/quote]
[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?att=0;bug=851774;msg=31