On Fri, 17 May 2019 at 04:05, Stefan Monnier <monnier@iro.umontreal.ca>
wrote:

> >> No, this setting is to make it easier for the other ELPA archives which
> >> (AFAIK) don't sign their packages (and in any case, Emacs doesn't come
> >> with the keys for those).
> > Perhaps package-check-signatures should be per-repository, so we are
> > warned when the Gnu ELPA signature check fails.
>
> You should be loudly warned already, if you use the default value
> (unless you don't have GPG installed, IIRC).
>

Also, you can get the effect of per-repository package-check-signatures
using
the defcustom 'package-unsigned-archives' ("List of archives where we do not
check for package signatures").