This message was deleted.

Do you talk about the dependency verification feature? Afair it is irrelevant whether there are checksums in the repository for that or not. You calculate locally checksums and store them in the verification data when updating the verification data and the check is against those. The sense of the dependency verification is, that a compromised repository cannot change those artifacts (maybe including the checksum files) to provide you changed artifacts without you recognizing, so depending on the published checksums would not help there anyway.

Yep, I'm referring to dependency verification. Yep, I realise checksums are first computed locally and stored. The questions refer to the signature verification side, and not applying this when signatures cannot be expected (or are not needed).

Why do you actually need / want to disable signature verification for specific repositories? It is only done if actually an

.asc

file is found for the dependency and if none is found, it only does checksum verification automatically.

re: 1. specific repos, to save requests for an .asc that won't exist. re: 2. docs, yep this is already set however signature verification still seems to occur (at least, the asc downloaded is attempted) even if checksum does not.

re 1.: I didn't really use dependency verification so far, besides some playing around. But afaik you cannot configure something depending on the repository it comes from. But if you know which artifacts / groups are resolved from that repository, you could just define those artifacts as trusted? re 2.: As far as I understood the docs, both should be skipped, but maybe I got that wrong or it has a bug. Maybe you should open feature requests for repo-specific configuration and / or disabling signature verification for specific artifacts if it really is not possible. 🙂