The "hash seed" and public/private key pairs (used to 
validate/generate signatures) could be kept on an external token 
such as a smartcard. The user removes the token when not at the 
workstation. Smartcards are relatively cheap and simple to use.

Access control is also an issue. Its no use validating binaries when 
someone has managed to get hold of the root password, or reboots 
your system off a diskette and then has access to your filesystem 
to replace the kernel without your knowledge.

It all depends how serious you are about this Brett. Using 
something like a smartcard and developing a sound architecture 
would be great tho...You can also then look at encrypted 
filesystems etc etc :-)

No security system is ever 100%. How much money and effort you 
expend securing your system is proportional to what your threat is 
and the cost of a compromise. 

Cheers
Dave