verifying a file

Kent Tong
Fri Nov 23 02:06:01 2001

> On Thu, 22 Nov 2001 18:45:25 +0800, Kent Tong said:
> > I notice that when I verify a detached signature, gpg will not
> > check the integrity of my public keyrings (because it doesn't
> > ask for my passphrase). My question is, what if someone puts some 
> This is pointless.  If someone is able to modify your keyring he can
> do all kind of stuff - including sniffing your passphrase and
> trojaning your binaries. 

It means that root can do anything he wants? On Windows, it is even
more dangerous as by default the keyrings are stored in c:\gnupg
where everyone can access? About trojaning the binaries, how to
best alleviate the problem?

I believe that we can sign the public keys. When are these signatures 
checked? It seems they are not used at all.