Is this the correct response to verifying the signature? The warning is worrying…
$ gpg --verify “sqlcipher-for-android-community-v3.3.0.zip.sig” "sqlcipher-for-
android-community-v3.3.0.zip"
gpg: Signature made 03/26/15 10:52:50 using RSA key ID 67FD0322
gpg: Good signature from "Zetetic LLC support@zetetic.net"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: D83F 5F9E B811 D6E6 B4A0 D9C5 D1FA 3A2A 97ED 25C2
Subkey fingerprint: A4EA 79E6 49E7 45B9 2117 A56F 0CB9 9EE2 67FD 0322
Hello @drcrypto
You will need to specify the level of trust you have in the support@zetetic.net key. You can configure this within gpg:
gpg --edit-key support@zetetic.net
The above will place you in the gpg prompt, displaying key information for support@zetetic.net. Next you can specify your trust level:
gpg> trust
Which should provide you with your options:
Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)
1 = I don't know or won't say
2 = I do NOT trust
3 = I trust marginally
4 = I trust fully
5 = I trust ultimately
m = back to the main menu
Your decision?
More information can be found here.