gpg --import: Load a Key From a Secret in CI
gpg --import adds the keys in a file (or piped on stdin) to your GnuPG keyring.
Most pipelines start by importing a signing key held as a CI secret. The trick is feeding the key on stdin and running non-interactively so nothing prompts.
What it does
gpg --import reads one or more OpenPGP keys (public or secret) from the named files or from stdin and adds them to the keyring under GNUPGHOME. Importing a secret key also imports its public half.
Common usage
gpg --import private.asc
# import a key held in a CI secret (no temp file on disk)
echo "$GPG_PRIVATE_KEY" | gpg --batch --import
# import a public key to verify signatures
gpg --import release-pubkey.ascOptions
| Flag | What it does |
|---|---|
| --import | Import keys from the given files or stdin |
| --batch | Run non-interactively (no prompts) |
| --import-options <opt> | Tune import, e.g. import-show, keep-ownertrust |
| --no-tty | Do not try to use the terminal |
| --with-colons | Machine-readable output (pair with --import-options import-show) |
In CI
Store the key as an ASCII-armored secret (the output of --export-secret-keys --armor) and pipe it in with echo "$GPG_PRIVATE_KEY" | gpg --batch --import. Keep the armored block intact: GitHub Actions and similar systems preserve newlines in secrets, so do not base64 unless you decode before importing.
Common errors in CI
"gpg: no valid OpenPGP data found" means the input is not a real key block, usually a secret that lost its newlines or was double base64-encoded. "gpg: key X: secret key imported" with later signing failures often means owner trust was not set; see gpg-trust-model. "gpg: WARNING: unsafe permissions on homedir" means GNUPGHOME is not chmod 700.