Check out this good tutorial on ASDF-install and GPG keys
Making ASDF ignore keys
If you don't care about the security of the packages, put this line into $HOME/.asdf-install:
(defparameter ASDF-INSTALL-CUSTOMIZE::*VERIFY-GPG-SIGNATURES* nil)
Obtaining developers' public keys
The problem of distributing developer public keys is a difficult one, and the hassle of getting these keys seems to be a somewhat common complaint among new asdf-install users. Please see this tutorial about validating PGP keys.
Obtaining keys from websites
Many developers put their public keys on their websites, generally in a file called pubkey.asc. You can download these and import them into the set of keys your gpg knows about with the following command:
gpg --import pubkey.asc
All developers with common-lisp.net accounts are required to make their public key available to check signatures against. The set of all these keys is available from http://common-lisp.net/keyring.asc, and is updated daily.
Once you believe that you have the keys of all developers you trust, you can view with suspicion any package that causes a gpg-related error upon installation.
Obtaining keys automatically
Something that makes this a bit easier (but much less secure!) is setting up gpg to automatically fetch keys from a keyserver. Adding the following two lines to your gpg.conf should do it:
keyserver wwwkeys.pgp.net keyserver-options auto-key-retrieve
Please note that this is only recommended if it prevents you from lazily ignoring the gpg warnings and not checking the signature at all. In a perfect world, web-of-trust issues would have some easy solution. Read the gpg manual for more details on these options.