diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 3f88bb3..929e972 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -4,12 +4,10 @@ services:
   - docker:dind
 
 before_script:
-  - apk add make git gnupg openssl bash util-linux
+  - apk add make
 
 test:
   script:
     - make lint
     - make test
-    - mkdir -p ~/.gnupg/
-    - echo "group maintainers = 154E6BB21AA3ADAA1AE8E4C3B11B4A3F97FE0C65 D37EA2C705C8125024932FF3008DDBA577B40593 000BB588C6908039A1E7B033552ECE18615AA0CF 0993C738D2D0B3B4B70E4CEBB62C48C8CAFFFC09 E68A304BC1806237B05CD2A21667D82C2BF9F3E1 6B61ECD76088748C70590D55E90A401336C8AAA9" >> ~/.gnupg/gpg.conf
-    - ./sig verify --threshold 3 --group maintainers
+    - make verify
diff --git a/.sig/manifest.8E47A1EC35A1551D.asc b/.sig/manifest.8E47A1EC35A1551D.asc
index e4c7270..045ef46 100644
--- a/.sig/manifest.8E47A1EC35A1551D.asc
+++ b/.sig/manifest.8E47A1EC35A1551D.asc
@@ -1,16 +1,16 @@
 -----BEGIN PGP SIGNATURE-----
 
-iQIzBAABCgAdFiEEZ1U/vaRrtxq9LgsLjkeh7DWhVR0FAl+3PS0ACgkQjkeh7DWh
-VR0WVg/+N03hml7HngM0DbJBhKuSrEzjOIe+Bzx96VVqo322oDtHielnHD9bSbJj
-HhKhjaLZeYVDaRWwloMtypF0JEWgbuwKmWp8tqqoOM4ySkgvkpphIaaQUvU56eTW
-8daPwOC1d/A/SuSuAK7Do0S7XOuTY5uMyu/ALxXO5kV/tMmfAufcN1j+3FL48Dk3
-iHHZnVKTBN2zH3hEsuwpVIpSUVZcxNumjYegyuGYkesKVCvd4xhdqMSJXhC+XAeQ
-uHtO8Uh6S854gmrPwCBcicq35HAhaMBJJ9Rb3ubigQMjFpXnylThDo4gdgSBZyXE
-VsBTmQS665v9k2OfJgtKhljiWfwCpGv1pLk35bkDcJqSRbZc5kNZRuxL0GRWHPdM
-XK42dJOq9IdrW+RCVB9cUTXURhs6YC529iFnPcmSqW2Iv0sbSBhIbrYO/PuVuAcX
-9ZlV2DHRlhnDEJNRW1vp5GANBW99WiC1IcC1hRTa+5Ak06AdJsTGe2X0AxVq+ZNF
-C6Ix/oJuQyb6oaSbpaBc6YmjAkvaTItyx4WlLck7KgQUttlEzUPuS3XTqfeeHuO6
-e/YqAqypVIQt20AH72zC0aCH+/v7tENIKNd3am2zYxW7jNANLqtX+h5Zud6abK3G
-iBPjJp+BPrXsqzsd7hRUSoZeeSM7VQNVqQMI+q7E4hKzyvplXL4=
-=SKg/
+iQIzBAABCgAdFiEEZ1U/vaRrtxq9LgsLjkeh7DWhVR0FAl+3iCAACgkQjkeh7DWh
+VR2PVA/9GWiy+hLXmTnXDhIrvl/joTvk0JwU4AlxMw55PlCPh3wlejUDKKx6xFMy
+a4oaU59/6mPyVlNKPLNXFHCwJhS4beDYhAjP6gA4Esr469K5jVZFQtbD6GuQ7mDi
+62HNjWZyQqaVQMR2/kH74XY7mm2Dw0NpmqA9EM5EUZBRYwt1p3YycX37AfSTdof9
+VlDSXU6cNo8E+K70Salw8q/Ds58dOCeu4bGfL6eXHPDCOzCOSth141yaJcTN+fIN
+UXxK62aGzci1G7M8Wfl8rWo0gz55+ydYiIyCEzhkU2zVMNJDiO2s7as3pjyT5LWD
+yWv8dpa0d8OZjt9hKCTUgxsOogt18ermbP9jFteuUwKTkIsjiJWZoPN1lHiNtNud
+wIUGDnB+lyytrA2Rc3YgbN2VzS4UKqBU/iCLxqtNgkJnunLPcnNHqrYlX9cKWMFO
+pL1pcr/CZsBk28iJmeQr8UQjdchO4RNNagk+yQocscdljUw1LLY7n5+9P2/fhkK1
+VT6kRQY/sxibkZsE7cP4HkfkOm0XpWfI1NGpG3iRh9ACVlnleOBskPxovVJ0q5VO
+CFlvOMMLZ/MhxdC7LrC6AcTyPiXz6W34/PBJMAsxl04Rmlx7YyoZL07d7Q0kaRKu
+4DHdb3j190tx/vcJC7YVY5XkuyYGD4ZYKGDaXhAS1TcUHNFe5xU=
+=Qxxm
 -----END PGP SIGNATURE-----
diff --git a/.sig/manifest.txt b/.sig/manifest.txt
index 9a0a8a5..90da351 100644
--- a/.sig/manifest.txt
+++ b/.sig/manifest.txt
@@ -1,8 +1,8 @@
 64263feac7b00952e9ec3b6c1fd11316faa58ff673c6bd085fac9f6f8d8389f6 .gitignore
-66a3b8bfb76f689fc4ab7bd95907b29c17c704c075c00c6cc6382e424dccd6bb .gitlab-ci.yml
-373cb178010e75bdccd5c792c43429c8274a615c8b69b5d57f4c2ec0263f802b Makefile
+67377eee89dfc4411665474ac0bee0f9a19ea7e594bcc8606b0bc3ace69f0aa1 .gitlab-ci.yml
+e272f7b4b6240dfc3499a3a977b94746903cece41481916e22868f7017da2a52 Makefile
 f19d267e4aa6bf82d5416891697a2a81a574efdddecf5c54e3a8a77c207013fa README.md
-eb12fb7ea33eafb138fa89020d6bfeb57595e0ffa30634aca764fd34417853d2 sig
+1ef7edc22f4f6b949b708d0e7a72e32aeab33b9a5fcdd4306193fa8629f5f622 sig
 655df07f3827e7055d0c6aa21a0a4907957a34a2b8a1e9131225c537e448e2e3 test/Dockerfile
 55250be3c8f25dcbe68a73e8de8c8a94d8ceb0354c7f955519373d9c963903dd test/test.bats
 c95e072f0917531257c069516fc1bf08fd98e5c5f3958f5353a219cb5b70fd38 test/test_helper.bash
diff --git a/Makefile b/Makefile
index 2f87fed..659306d 100644
--- a/Makefile
+++ b/Makefile
@@ -16,6 +16,20 @@ lint: test-image
 		local/sig-test \
 		shellcheck sig/sig
 
+.PHONY: verify
+verify: test-image
+	docker run \
+		--rm \
+		--interactive \
+		--volume $(PWD)/:/home/test/sig \
+		local/sig-test /bin/bash -c " \
+		cp -R sig /tmp/sig; \
+		cd /tmp/sig; \
+		./sig fetch --group maintainers 6B61ECD76088748C70590D55E90A401336C8AAA9; \
+		./sig verify --threshold 1 --method=git --group maintainers; \
+		./sig verify --threshold 3 --method=detached --group maintainers; \
+		"
+
 .PHONY: test-image
 test-image:
 	docker build \
diff --git a/sig b/sig
index 367ddef..398f1f5 100755
--- a/sig
+++ b/sig
@@ -178,6 +178,7 @@ group_add_fp(){
 	done
 
 	echo "Adding key \"${fp}\" to group \"${group_name}\""
+	gpg --list-keys >/dev/null 2>&1
 	printf 'group:0:%s' "${data%?}" \
 		| gpgconf --change-options gpg >/dev/null 2>&1
 }
@@ -330,6 +331,48 @@ cmd_verify() {
 	fi
 }
 
+cmd_fetch() {
+	local opts group="" group_fps=""
+	opts="$(getopt -o g: -l group: -n "$PROGRAM" -- "$@")"
+	eval set -- "$opts"
+	while true; do case $1 in
+		-g|--group) group="${2:-1}"; shift 2 ;;
+		--) shift; break ;;
+	esac done
+	[ $# -eq 1 ] || \
+		die "Usage: $PROGRAM fetch <fingerprint> [-g,--group=<group>]"
+	local -r fingerprint=${1}
+
+	if [ ! -z "$group" ]; then
+		group_fps=$(group_get_fps "${group_name}")
+		if [[ "${group_fps}" == *"${fingerprint}"* ]]; then
+			echo "Key \"${fingerprint}\" is already in group \"${group}\""
+		else
+			group_add_fp "${fingerprint}" "${group}"
+		fi
+	fi
+
+	gpg --list-keys "${fingerprint}" > /dev/null 2>&1 \
+		&& echo "Key \"${fingerprint}\" is already in local keychain" \
+		&& return 0
+
+	echo "Requested key is not in keyring. Trying keyservers..."
+	for server in \
+        ha.pool.sks-keyservers.net \
+        hkp://keyserver.ubuntu.com:80 \
+        hkp://p80.pool.sks-keyservers.net:80 \
+        pgp.mit.edu \
+    ; do \
+        echo "Fetching key "${fingerprint}" from ${server}"; \
+       	gpg \
+       		--recv-key \
+       		--keyserver "$server" \
+       		--keyserver-options timeout=10 \
+       		--recv-keys "${fingerprint}" \
+       	&& break; \
+    done
+}
+
 cmd_add(){
 	cmd_manifest
 	gpg --armor --detach-sig ."${PROGRAM}"/manifest.txt >/dev/null 2>&1
@@ -357,10 +400,12 @@ cmd_usage() {
 	cmd_version
 	cat <<-_EOF
 	Usage:
-	    $PROGRAM verify [-g,--group=<group>] [-t,--threshold=<N>] [-m,--method=<git|detached> ]
-	        Verify m-of-n signatures by given group are present for directory
 	    $PROGRAM add
 	        Add signature to manifest for this directory
+	    $PROGRAM verify [-g,--group=<group>] [-t,--threshold=<N>] [-m,--method=<git|detached> ]
+	        Verify m-of-n signatures by given group are present for directory
+	    $PROGRAM fetch [-g,--group=<group>]
+	    	Fetch key by fingerprint. Optionally add to group.
 	    $PROGRAM manifest
 	        Generate hash manifest for this directory
 	    $PROGRAM help
@@ -381,6 +426,7 @@ case "$1" in
 	verify)            shift; cmd_verify   "$@" ;;
 	add)               shift; cmd_add      "$@" ;;
 	manifest)          shift; cmd_manifest "$@" ;;
+	fetch)             shift; cmd_fetch    "$@" ;;
 	version|--version) shift; cmd_version  "$@" ;;
 	help|--help)       shift; cmd_usage    "$@" ;;
 	*)                        cmd_usage    "$@" ;;