Comment 7 for bug 1013681

I'm fine with the signed-keyring-file approach too, although I haven't confirmed that there are no attacks possible on the code used to verify *that* signature.