So long as the secret key was not compromised, then the signature file also just doesn't matter - if it's compromised, the validation fails. One of the beauties of asymmetric encryption, making GPG worth learning about.
I think this really only applies for signatures you can trust. A frightening number of keys used to sign software are not signed by anyone, so they're effectively the equivalent of a self signed certificate.
I've also found some projects where the key used to sign the software isn't even consistent between releases, so you don't even have the (minimal) protection offered by checking the signatures against "known good" builds.
> A frightening number of keys used to sign software are not signed by anyone, so they're effectively the equivalent of a self signed certificate.
I wonder how hard would it be to socially engineer yourself into trust chain. I haven't read GPG manuals, but I'd be surprised if there were strict protocols followed by everyone when signing others' keys. Most people probably don't or can't insure that there is no mitm when signing keys and can't reliably verify that government id papers aren't forgeries so likely reliable chains of trusts exists only between people that spend large quantities of time together and exchange fingerprints over secure channel.
