> The signature checking has never worked anyway, though.

Maybe not for you, but it's supposed to work, and AFAIK it works for
many people.

> Will having a newer
> signature make a difference? If I rename my .emacs.d/ and run "emacs"
> (master),
> then "M-x package-list", I get this:
>
> Failed to verify signature archive-contents.sig:
> Bad signature from 474F05837FBDEF9B GNU ELPA Signing Agent (2014) <
> elpasign@elpa.gnu.org>
> Command output:
> gpg: Signature made 05/14/19 10:10:03 GMT Summer Time
> gpg:                using DSA key CA442C00F91774F17F59D9B0474F05837FBDEF9B
> gpg: BAD signature from "GNU ELPA Signing Agent (2014) <
> elpasign@elpa.gnu.org>" [unknown]
>
> This is on Windows, with gpg 2.2.11 on the path.

Sounds like a bug.  Could you report it as such, so we can track it
(and hopefully fix it for 26.3)?