Package: apt Version: 1.4.8 Followup-For: Bug #872543I saw a similar thing on one of my systems. It looks like if the InRelease file is already downloaded, setting trusted=yes won't override the signature check.
Removing /var/lib/apt/lists/archive.cloudera.com_* and running apt update again seems to resolve this situation (without fixing the underlying bug).