Then again, if someone can get at your database, I would suspect that
the same attack would work against your copy of the software. (i.e.
person can access your files, person can replace your copy of the software
with a spoof.)
Not true.
Many sites still use NFS for file service. This means that anyone
with root on their local NFS client (and this is a good assumption,
since if you have physical access you most likely have root) can spoof
the NFS server to make it, and the local host for that matter, this
that the attacker is the attackee. Although it is possible to set up
an NFS server to not trust root access, you cannot do it for normal
users.
As an example, I could make my local machine think that I am you, then
I can use the PEM software (which was installed as root, so I can't
modify *that*) to access your keyring and modify it. This is neither
an impossible nor a non-trivial possibility. I showed someone at my
place of employment a couple summers ago how easy it was for me to
read their mail!
A simple solution is to use some sort of authenticated file system,
like AFS or Kerberized NFS, but the best solution is to
cryptographically secure your "bit" by signing the certificate
yourself.
-derek