Comment 4 for bug 1013681

As I recall, we didn't go this route the first time around because we wanted to avoid changing the server-side interface. But if trying to check this securely is a case of being nibbled to death by cats, I think it makes sense to revisit this. So I have no objection to using a gpg-verified keyring object here.