We have to import the keys before checking the signature.
$ gpg --import gpg-signers.pem gpg: key 4F25E3B6: public key "Werner Koch (dist sig)" imported $ gpg --verify libassuan-2.2.0.tar.bz2.sig libassuan-2.2.0.tar.bz2 gpg: Signature made Thu 11 Dec 2014 21:13:07 JST using RSA key ID 4F25E3B6 gpg: Good signature from "Werner Koch (dist sig)"
If we don't want the keys to be stored in the local database permanently, use a disposable keyring.
$ gpg --no-default-keyring --keyring 1.keyring --import gpg-signers.pem gpg: keyring 1.keyring created ... $ gpg --no-default-keyring --keyring 1.keyring --verify ... ... $ trash 1.keyring
By design, we receive keys out-of-band.
Though not as convenient as HTTPS, we can download Werner Koch's public key by gpg --recv-key 4F25E3B6
. This command work out-of-box on many distros with a preconfigured keyserver. It is easy to write some script look into a signature file and automatically download the key the person who issue this signature used. But the decision is still left upon us, to determine whether to trust or not trust the person.