I've just been pratting around for about an hour trying to verify the latest version of bash and its patches from ftp.gnu.org (after hearing about the shellshock bug and wanting to protect myself). I couldn't find the gnu public key anywhere.
I eventually found a question on stackoverflow.com at
which has a great answer which included where to find the Gnu public keys:
After downloading them you tell gpg of their existence by:
gpg --import gnu-keyring.gpg
After all this it still doesn't tell you if the signature is trustworthy, nor does it seem to do any check on the file itself (though I could be wrong there).
I don't know why the sha-1 or md5sum systems are not considered good enough. It doesn't seem very secure to use a security system that is not explained in a note on the site. It kinda renders it useless. When I looked for gpg documentation I found a massive manual that goes to the other extreme of burying the user in too much information. I wonder how many people will wade through all that in order to use it.