Hi, Holger Levsen wrote (27 Jul 2014 11:31:20 GMT) : > gpg: Signature made Thu Jul 24 10:45:33 2014 CEST using RSA key ID 0E3A92E4 > gpg: Good signature from "Mike Perry (Regular use key) > <mikepe...@torproject.org>" > gpg: WARNING: This key is not certified with a trusted signature! > gpg: There is no indication that the signature belongs to the owner. > Primary key fingerprint: C963 C21D 6356 4E2B 10BB 335B 2984 6B3C 6836 86CC > Subkey fingerprint: D734 B622 C7B5 D164 D665 0CB8 717F 1F13 0E3A 92E4
This message indicates that 1. the signature is correct; 2. was made by a key that's present in the keyring used to verify it; and 3. wasn't certified (or otherwise marked as trusted) in that keyring. So, if only the right keys are present in this/those keyring(s), then it should be fine. I'm assuming that the verification is made with GnuPG's --no-default-keyring, and --keyring pointing to a keyring that only contains the expected TBB signing keys. (Side note: I don't know how to mark all TBB signing keys as trusted in that keyring, when creating/importing it, but it's probably possible.) Cheers! -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org