Nikodemus Siivola wrote:
I hope that Kevin corrects me if I'm wrong, but...
It doesn't matter: the passphrase is required in any case: it guarantees the integrity of the key.
Correct. The private key needs to protected by a passphrase. The private key is used to sign and decrypted messages. It is not needed to encrypted messages -- encryption requires just the public key.
I'd recommend making a user account named keymaster. Import the public keys into its public key ring that you want to sign. After you sign and export public keys, keep the public keys in the keyring. You can then publish that public keyring as both an easy way for someone to import all public keys trusted by clnet. That public file can also be used to verify a signature is trusted by clnet:
gpgv --no-default-keyring --keyring clnet-public-keyring.gpg <file>