[Catalog-sig] How to verify cheeseshop signatures?

["Martin v. Löwis"]

Phillip J. Eby wrote:
> 
>> Jp Calderone wrote:
>> > The required key is indicated in the message.  You just need to 
>> retrieve it:
>> >
>> > gpg --import 41C6E930
>> >
>> > Re-running --verify should now work.
> 
> 
> It doesn't.  I get "gpg: can't open `41C6E930': No such file or directory".

It's not --import, but --recv-keys. I get

martin at mira:~$ gpg --recv-keys 41C6E930
gpg: requesting key 41C6E930 from hkp server wwwkeys.pgp.net
gpg: key 41C6E930: "Richard Jones <richard at commonground.com.au>" 31 new 
signatures
gpg: public key CA66D0B1 is 24595 seconds newer than the signature
gpg: public key CA66D0B1 is 24557 seconds newer than the signature
gpg: 3 marignal-needed, 1 complete-needed, classic Trust-Modell
gpg: depth: 0  valid:   3  signed:  40  trust: 0-, 0q, 0n, 0m, 0f, 3u
gpg: public key CA66D0B1 is 24557 seconds newer than the signature
gpg: depth: 1  valid:  40  signed: 120  trust: 36-, 0q, 0n, 0m, 4f, 0u
gpg: depth: 2  valid:  60  signed: 151  trust: 53-, 0q, 0n, 0m, 7f, 0u
gpg: depth: 3  valid:  29  signed:  78  trust: 26-, 0q, 0n, 0m, 3f, 0u
gpg: depth: 4  valid:   6  signed:   8  trust: 5-, 0q, 0n, 1m, 0f, 0u
gpg: nächste "Trust-DB"-Pflichtüberprüfung am 2005-11-13
gpg: Anzahl insgesamt bearbeiteter Schlüssel: 1
gpg:                         neue Signaturen: 31


> So, from a practical perspective, the current signature implementation 
> is of no use whatsoever to the vast majority of cheeseshop users.

I can't speak for the vast majority of the cheeseshop users; the vast
majority of regular GPG users who ever signed somebody else's key is
probably able to find a chain of trust to Richard Jones.

> It seems like it would make more sense to use a format that includes a 
> certificate signature chain (as with Ruby Gems).  Having to manually 
> track the keys of individual authors sort of goes against the whole point.

Why is that any better? Where do I get a code-signing certificate from?

Regards,
Martin