OK, I don't yet fully understand GPG and it's time to learn it. 
I need a bit of help.  I've installed GPG and generated a key
pair, etc.  Now I've downloaded some security software I want to
test from cisecurity.org.  I've also downloaded the signature
file and the key used to sign the software.  So, in order to
verify the file using GPG, I did a gpg --import cis-*.asc
(whatever the exact file name was..).  But I get a response back:
"gpg: no valid OpenPGP data found. Total number processed:  0"  I
look at the asc file, and it's a short text file, a PGP SIGNATURE
file.  So I think, hmmm... this is a signature file.  But what I
need is their public key.  Is this right?  And if so, where do I
find their public key?  It doesn't say anything about it on their
web site.  Thanks, Scott