Comment 11 for bug 857472

There is also another scenario we should test for. If we decide to add a key to the downloaded keyring, an attacker could then add a duplicate key id for the new key in the spoofed keyring. I'm not sure what gpg would do in that scenario, which key would get parsed first, etc.