In some cases you will find a package in an Ubuntu repository that is not signed by the maintainer. These packages can't be verified for authenticity. Without a signature there is no way for the system to determine if they are safe to use.
In some cases you will find a package that has been signed using the private key of the maintainer. By default you will not find that key in your keyring - the Debian / Ubuntu people can't really be expected to ship CD's containing every possible public key.
In this case all you need are the public keys to verify the authenticity of the package. To get them you need to install the debian key ring packages. The command to do so is below - but be careful when you run it (see below.)
apt-get install debian-keyring debian-archive-keyring
Sadly - when I installed these packages I found that they also were not signed! As a result there is a chance that somebody threw in a public key that should not be trusted.
Ideally each package should be signed by somebody who is trusted by the Debian or Ubuntu people. That package should then be verified and re-signed by somebody from Debian or Ubuntu. That way it would always be possible to find the necessary keys in the default installation. Failing that there should be a way to get the keys safely (ie: The key ring packages should be signed.) The last resort would probably be to post an MD5 sum on the web site for the original software package - but then again there's little chance that anybody would realistically be expected to find and verify the hash values manually.