Consider storing pubkeys in ~/.gem/keyring

[postmodern]

Consider storing all pubkeys used for verification in ~/.gem/keyring. This would prevent cluttering the user's keyring with gem verification keys.

[grant-olson]

I probably have several hundred keys in ~/.gnupg that have built up over the years and it doesn't cause any problems.

To me it seems like a feature and not a bug that I have the same Web of trust (trustdb.gpg) on email, monkeysphere, cli, and rubygems.

If I trust someone for reasons that have nothing to do with rubygems, and they've authenticated gem signing keys, I should receive the additional verification in my trust calculation automatically. I shouldn't have to import or generate a local sig in multiple locations on a single machine.

[grant-olson]

A separate keyring might make sense if there was actually some sort of rubygems certificatet authority, but that's a ways off. For example apt-get maintains its own keyring that only has the distribution signing keys.

[FooBarWidget]

I don't think a separate keyring makes sense. One of the points of using PGP over X509 is that it's distributed. You can choose to trust the gem owner directly instead of through the CA, and to verify the gem independent of the CA. It wouldn't make much sense then to separate gem keys.

However it would be helpful for organization purposes if gem keys are tagged as such so that you can easily sort and filter them. I'm not sure whether PGP allows this though.

[grant-olson]

With #23 a user can use an alternate homedir with the --gpg-homedir option.

If I ever decide to include some default trusted keys, which seems unlikely at this point in time, we will use an alternate keyring by default. But for now we'll use the user's normal keyring by default.