: gpg: Signature made 08/06/12 19:52:21 Pacific Daylight Time using RSA key : ID 322 : D7ECA : gpg: Good signature from "Robert Muir (Code Signing Key) <rm...@apache.org>" : *gpg: WARNING: This key is not certified with a trusted signature!* : gpg: There is no indication that the signature belongs to the : owner. : Primary key fingerprint: 6661 9BA3 C030 DD55 3625 1303 817A E1DD 322D 7ECA : : Is this acceptable ?
I guess it depends on what you mean by acceptible? I'm not an expert on this, but as i understand it... gpg is telling you that it confirmed the signature matches a known key named "Robert Muir (Code Signing Key)" which is in your keyring, but that there is no certified level of trust association with that key. Key Trust is a personal thing, specific to you, your keyring, and how you got the keys you put in that ring. if you trust that the KEYS file you downloaded from apache.org is legitimate, and that all the keys in it should be trusted, you can tell gpg that. (using the "trust" interactive command when using --edit-key) Alternatively, you could tell gpg that you have a high level of trust in the key of some other person you have met personally -- ie: if you met Uwe at a confernce and he physically handed you his key on a USB drive -- and then if Uwe has signed Robert's key with his own (i think it has, not sure off the top of my head), then gpg would extend an implicit transitive trust to Robert's key... http://www.gnupg.org/gph/en/manual.html#AEN335 -Hoss
