* Is there a GnuPG library we can link against instead of execing gpg?
  - Yes, there is PGG, but it is merely a wrapper around the GPG binary. A
    very good wrapper, but it is hugely overweight for what we need.
    Basically this may be a dead issue. Otherwise, we should probably start
    using the --with-colon and --status-fd output for better parsing of
    the verify and keyring output.

* Figure out how to integrate this more tightly with the package tools
  (apt, dpkg etc..).

* Expiry still needs to be handled.

* Add some more info to the verbose output.
  STATUS: in progress

* Obviously this needs more code auditing.
  - The code uses static buffers and length constrained functions (snprintf,
    strncmp) where ever possible, but in some cases it might make sense to
    switch them to dynamically allocated buffers instead.

* I18n and l10n.
