basic hash signature question

[Ryan Malayter]

[David Shaw]
>This is a common problem with server-based things - how do you trust 
>the server isn't lying?

In this day and age of worm-installed backdoor trojans - and even
compromised Linux source code trees - how do you really know that your
personal workstation isn't lying when it verifies GnuPG signatures?

It's a matter of degrees of trust. Isn't it reasonable to assume, for
instance, that a well-run web server, owned a security-conscious
organization, with an appropriate SSL certificate, is at least as
trustworthy as the end-user's PC?

Regards,

Ryan