Verifying the signature


#1

Is this the correct response to verifying the signature? The warning is worrying…

$ gpg --verify “sqlcipher-for-android-community-v3.3.0.zip.sig” "sqlcipher-for-
android-community-v3.3.0.zip"
gpg: Signature made 03/26/15 10:52:50 using RSA key ID 67FD0322
gpg: Good signature from "Zetetic LLC support@zetetic.net"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: D83F 5F9E B811 D6E6 B4A0 D9C5 D1FA 3A2A 97ED 25C2
Subkey fingerprint: A4EA 79E6 49E7 45B9 2117 A56F 0CB9 9EE2 67FD 0322


#2

Hello @drcrypto

You will need to specify the level of trust you have in the support@zetetic.net key. You can configure this within gpg:

gpg --edit-key support@zetetic.net

The above will place you in the gpg prompt, displaying key information for support@zetetic.net. Next you can specify your trust level:

gpg> trust

Which should provide you with your options:

Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)

  1 = I don't know or won't say
  2 = I do NOT trust
  3 = I trust marginally
  4 = I trust fully
  5 = I trust ultimately
  m = back to the main menu

Your decision?

More information can be found here.