Hi, On Tue, Jul 10, 2018 at 6:23 PM Rodric Rabbah <rod...@gmail.com> wrote: > ...working with @vincent to > publish his key to avoid this: > gpg: WARNING: This key is not certified with a trusted signature! > gpg: There is no indication that the signature belongs to the > owner....
I'm not sure if this is related to GitHub, AFAIK what's happening is that Vincent's GPG key is not signed by other people in a way that creates a chain of signatures to your own key. We usually have key signing events at Apache conferences, see https://www.apache.org/dev/release-signing.html#key-signing-party and the following sections. -Bertrand