ASDF-Install and GPG
This page discusses some issues with gpg that affect ASDF-Install users. If you are a developer who wishes to make your software asdf-installable, but you aren't sure how to work gpg, see GPG for ASDF-Install developers.

Check out this good tutorial on ASDF-install and GPG keys

Making ASDF ignore keys

If you don't care about the security of the packages, put this line into $HOME/.asdf-install:


Obtaining developers' public keys

The problem of distributing developer public keys is a difficult one, and the hassle of getting these keys seems to be a somewhat common complaint among new asdf-install users. Please see this tutorial about validating PGP keys.

Obtaining keys from websites

Many developers put their public keys on their websites, generally in a file called pubkey.asc. You can download these and import them into the set of keys your gpg knows about with the following command:

gpg --import pubkey.asc

All developers with accounts are required to make their public key available to check signatures against. The set of all these keys is available from, and is updated daily.

Once you believe that you have the keys of all developers you trust, you can view with suspicion any package that causes a gpg-related error upon installation.

Obtaining keys automatically

Something that makes this a bit easier (but much less secure!) is setting up gpg to automatically fetch keys from a keyserver. Adding the following two lines to your gpg.conf should do it:

keyserver-options auto-key-retrieve

Please note that this is only recommended if it prevents you from lazily ignoring the gpg warnings and not checking the signature at all. In a perfect world, web-of-trust issues would have some easy solution. Read the gpg manual for more details on these options.

This page is presently Uncategorized: please add appropriate topic markers and remove this text