A recent bug reported in Ubuntu GNU/Linux is that apt-key fails to properly check the package-signing keys downloaded from an Ubuntu repository. Debian has the same faulty code but thankfully it is disabled.
On a Debian GNU/Linux system:
grep URI /usr/bin/apt-key
# update the current archive signing keyring from a network URI
if [ -z "$ARCHIVE_KEYRING_URI" ]; then
(cd /var/lib/apt/keyrings; wget -q -N $ARCHIVE_KEYRING_URI)
On an Ubuntu GNU/Linux system:
rest here