Suppose you're told to import a GPG keyring from: https://ftp.gnu.org/gnu/gnu-keyring.gpg
To import it, download the file and, supposing you saved it as gnu-keyring.gpg, run:
gpg --import gnu-keyring.gpg
Suppose you download a tarball emacs-29.0.91.tar.xz and a signature file emacs-29.0.91.tar.xz.sig. To verify the signature, run:
gpg --verify emacs-29.0.91.tar.xz.sig
If you get a message like:
gpg: Good signature from "Eli Zaretskii <eliz@gnu.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 17E9 0D52 1672 C046 31B1 183E E78D AE0F 3115 E06B
Then you need to verify that that key really belongs to Eli Zaretskii. (TODO: How do you do that properly?)
Once you've verified that, you can sign his key with your private key.
Obligatory read: Web of Trust
To sign a public key that you have, and supposing the public fingerprint of the key is 17E90D521672C04631B1183EE78DAE0F3115E06B, run:
gpg --edit-key 17E90D521672C04631B1183EE78DAE0F3115E06B
Then, in the prompt, enter the number associated with the key to sign, and then the command lsign to sign it locally. Now errors like "This key is not certified with a trusted signature!" should go away.