It should be noted that this is similar to the way SSL works for encrypting HTTPS browser sessions - there is a root authority that has the right to sign other peoples' keys. Some of those keys can sign other keys and so on - if the string of signatures doesn't authenticate all the way back to a root authority, your browser warns you that something is wrong.