ASDF-Install and GPG
This page discusses some issues with gpg that affect ASDF-Install users. If you are a developer who wishes to make your software asdf-installable, but you aren't sure how to work gpg, see GPG for ASDF-Install developers.

Check out this good tutorial on ASDF-install and GPG keys

Making ASDF ignore keys

If you don't care about the security of the packages, put this line into $HOME/.asdf-install:

(defparameter ASDF-INSTALL-CUSTOMIZE::*VERIFY-GPG-SIGNATURES* nil)

Obtaining developers' public keys

The problem of distributing developer public keys is a difficult one, and the hassle of getting these keys seems to be a somewhat common complaint among new asdf-install users. Please see this tutorial about validating PGP keys.

Obtaining keys from websites

Many developers put their public keys on their websites, generally in a file called pubkey.asc. You can download these and import them into the set of keys your gpg knows about with the following command:

gpg --import pubkey.asc

All developers with common-lisp.net accounts are required to make their public key available to check signatures against. The set of all these keys is available from http://common-lisp.net/keyring.asc, and is updated daily.

Once you believe that you have the keys of all developers you trust, you can view with suspicion any package that causes a gpg-related error upon installation.

Obtaining keys automatically

Something that makes this a bit easier (but much less secure!) is setting up gpg to automatically fetch keys from a keyserver. Adding the following two lines to your gpg.conf should do it:

keyserver wwwkeys.pgp.net
keyserver-options auto-key-retrieve

Please note that this is only recommended if it prevents you from lazily ignoring the gpg warnings and not checking the signature at all. In a perfect world, web-of-trust issues would have some easy solution. Read the gpg manual for more details on these options.


document