I'm trying to enable GPG verification in /etc/dpkg/dpkg.cfg by removing "no-debsig" in this configuration file:
. # Do not enable debsig-Verify by default; Since the distribution is not using integrated signatures, debsig-verify will reject all packages.
. # no-debsig
Then I tried to download and install some unsigned .deb files on my Ubuntu server, but I can install them normally without any action (reject, warn) later.
So, my question is: assuming that I downloaded an .deb file from the Internet, I ran this file with "dpkg -i" to install it, how to verify if it comes from a reliable source or not? I am using the Ubuntu server 16.04. Thank you!