Comment 12 for bug 857472

Thats a very good point Marc. I get the feeling the other approach (providing a signed version of the keyrigng or a signature file for it) is actually more robust and we should go with that.