(Sorry for the cc's; sometimes the list seems to eat my mails...) Its quite possible to generate a key with a duplicate 32-bit hash; an mischievous person could then upload that to the keyserver. Since apt-key doesn't do any web-of-trust verification, apt-key would happily accept the bogus key. Instead, it'd be best to use the full fingerprint: gpg --export 27034F81A2EB2840A4386C09EA8E8B2116BA136C | apt-key add -