Problem with verification of downloaded files

#1

Hello, I tried to vertificate my download with these instructions but it didn’t go as planned.

  1. I imported the public signing key as instructed in the first part.
  2. I downloaded the files “SHA256 file” and “SHA256 file signature”
  3. I ran the command gpg --verify desktop.sha256sums.sig desktop.sha256sums

I got the following:

user@user:~/Downloads$ gpg --verify desktop.sha256sums.sig desktop.sha256sums
gpg: Signature made Fri 07 Dec 2018 10:58:25 AM EET
gpg:                using RSA key 57CE4D9CD8D276B4
gpg: Good signature from "Andrew Lyon <orthecreedence@gmail.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: DEDF 113E 5424 8344 1637  16B5 5C66 FAD1 3222 D757
     Subkey fingerprint: B25B DF8F 8BB7 7454 ACFF  BA84 57CE 4D9C D8D2 76B4

Am I doing something wrong or what’s the catch?

Just a sidenote that the sha256 from the txt-file is matching with my download. And I’m running Linux.

Thanks for your time.

#2

Another Linux user here. I noticed this too. Yeah, the sha256 matches, but that signature is super sketchy.

#3

Hi, maintainer of the Turtl project here. I can confirm that my key’s signature is DEDF113E54248344163716B55C66FAD13222D757

#4

Thank you for the clarification. Do you know what might be reason for this output?

#5

Good question, I didn’t know so I looked it up:

Apparently, it means you have not explicitely trusted the key, and you do not trust any keys that have signed my key, effectively meaning that the key could belong to anybody claiming to have my name and email.

#6

Ah! Okay, that explains it. Thank you very much. And thank you also for the awesome software, will definitely support with premium account when it’s available.