Skip to content
Latchkey

gpg --import: Load a Key From a Secret in CI

gpg --import adds the keys in a file (or piped on stdin) to your GnuPG keyring.

Most pipelines start by importing a signing key held as a CI secret. The trick is feeding the key on stdin and running non-interactively so nothing prompts.

What it does

gpg --import reads one or more OpenPGP keys (public or secret) from the named files or from stdin and adds them to the keyring under GNUPGHOME. Importing a secret key also imports its public half.

Common usage

Terminal
gpg --import private.asc
# import a key held in a CI secret (no temp file on disk)
echo "$GPG_PRIVATE_KEY" | gpg --batch --import
# import a public key to verify signatures
gpg --import release-pubkey.asc

Options

FlagWhat it does
--importImport keys from the given files or stdin
--batchRun non-interactively (no prompts)
--import-options <opt>Tune import, e.g. import-show, keep-ownertrust
--no-ttyDo not try to use the terminal
--with-colonsMachine-readable output (pair with --import-options import-show)

In CI

Store the key as an ASCII-armored secret (the output of --export-secret-keys --armor) and pipe it in with echo "$GPG_PRIVATE_KEY" | gpg --batch --import. Keep the armored block intact: GitHub Actions and similar systems preserve newlines in secrets, so do not base64 unless you decode before importing.

Common errors in CI

"gpg: no valid OpenPGP data found" means the input is not a real key block, usually a secret that lost its newlines or was double base64-encoded. "gpg: key X: secret key imported" with later signing failures often means owner trust was not set; see gpg-trust-model. "gpg: WARNING: unsafe permissions on homedir" means GNUPGHOME is not chmod 700.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →