I've got a recipe to download the various GPG components and build them.

I fetched the GPG signer's public key block from
https://www.gnupg.org/signature_key.html. Its saved as gpg-signers.pem. I
actually took the extra time to download the block over 3G in the [extremely]
unlikely case my local wired connection was tampered.

I'm amazed that I can't actually verify a component using the component's
signature and the signer's public key block from the command line. The net
effect was I commented out the signature check because I've wasted far too much
time on it already. (Out of band fetch, grepping the man pages, searching the
web, etc).

I think it would be much better if the tools matched the user's work flow, and
allowed them to verify a signature without the extra work. I mean, its a public
key for god's sake. Why is someone forced to put it into a keychain they don't
have or care about? How is it safer than sitting in ~/ with proper ACLs?

I don't know how to rate the priority/severity of the bug. If people don't use
the software because its hard to use, then it seems like a pretty severe
problem. Perhaps others might claim "un-usability" would be classified as a wish
list item. I don't really know.

To place it in perspective, I sent fewer than 12 encrypted emails last year
(probably closer to 6) because I don't want to be hassled. If it was easy to use
and matched my workflow, then I would have probably sent hundreds just to create
spurious noise for NSA and GCHQ to analyze.