Ah sorry, let me clarify. Do not ignore "Firma INCORRECTA" / "BAD signature". That's a fatal error causing gpg to exit with a nonzero return code. The reason it's bad is that, with the commands as written, gpg is trying to verify data in the wrong files. Please use these commands instead to avoid signature / data file mismatch issues:
gpg --verify apache-fineract-1.11.0-binary.tar.gz.asc gpg --verify apache-fineract-1.11.0-binary.tar.gz.sha512.asc gpg --verify apache-fineract-1.11.0-src.tar.gz.asc gpg --verify apache-fineract-1.11.0-src.tar.gz.sha512.asc Written that way, gpg will assume the signed data is in the file of the same name minus the .asc extension. We've carefully named these files so it'll work as expected. Here's the one gpg warning you can ignore, for now: gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Related: https://en.wikipedia.org/wiki/Key_signing_party and https://en.wikipedia.org/wiki/Web_of_trust , mentioned in https://lists.apache.org/thread/7wq9moshw1hfndycodfnzy8ndocpwoy7 . That's a great way we can eliminate confusing warnings like this. Victor wrote: > (base) fintecheando@thales:~/dev/apache/v11/binaries$ gpg --verify > apache-fineract-1.11.0-src.tar.gz.sha512.asc > apache-fineract-1.11.0-src.tar.gz > gpg: Firmado el vie 28 feb 2025 12:41:08 CST > gpg: usando EDDSA clave > BD58EA9F85201ADB52CFC0444F169FF263F5F98E > gpg: Firma INCORRECTA de "James Patrick Dailey <jdai...@apache.org>" > [desconocido] > (base) fintecheando@thales:~/dev/apache/v11/binaries$ gpg --verify > apache-fineract-1.11.0-binary.tar.gz.sha512.asc > apache-fineract-1.11.0-binary.tar.gz > gpg: Firmado el vie 28 feb 2025 20:06:37 CST > gpg: usando EDDSA clave > BD58EA9F85201ADB52CFC0444F169FF263F5F98E > gpg: Firma INCORRECTA de "James Patrick Dailey <jdai...@apache.org>" > [desconocido] > > Keys are matching with the shared keys, just the warning. >
