I've seen that before -- it just means that you haven't declared, explicitly or implicitly, that you trust that the signing key is really Andrew's.
The important line should be above that, and should say gpg: Good signature from "Andrew Grieve (CODE SIGNING KEY) < [email protected]>" What you can do right now is run "gpg --fingerprint", and then have Andrew do that same, and verify that they match. Then you can safely ignore the message :) The long term solution is to get Andrew's (and Steven's, and anyone else's) public key signed by some Apache folks. Apparently there's a key signing party at every ApacheCon, so that'll be a good time to do it. -------- Instead of ignoring the message, you can also sign the key with your own: $ gpg --edit-key [email protected] > sign > save On Wed, Mar 5, 2014 at 3:19 PM, Michal Mocny <[email protected]> wrote: > +1 > > However, gpg --verify gives me: > > gpg: WARNING: This key is not certified with a trusted signature! > gpg: There is no indication that the signature belongs to the > owner. > > I don't recall seeing this before. I had to add your new key to verify this > time. > > -Michal > > > On Wed, Mar 5, 2014 at 2:45 PM, Andrew Grieve <[email protected]> > wrote: > > > Please review and vote on the release of this inappbrowser release. > > > > The plugin has been publish here: > > https://dist.apache.org/repos/dist/dev/cordova/iab/ > > > > It is the same as the recently published 0.3.2, except with: > > * CB-6172 Fix broken install on case-sensitive file-systems > > > > The packages were published from their corresponding git tags: > > cordova-plugin-inappbrowser: 0.3.3 (a5dedae631) > > > > Upon a successful vote I will upload the archives to dist/, upload them > to > > the Plugins Registry, and post the corresponding blog post. > > > > Voting will go on for a minimum of 20 hours. > > > > I vote +1. > > >
