Hello, I tried to vertificate my download with these instructions but it didn’t go as planned.
- I imported the public signing key as instructed in the first part.
- I downloaded the files “SHA256 file” and “SHA256 file signature”
- I ran the command
gpg --verify desktop.sha256sums.sig desktop.sha256sums
I got the following:
user@user:~/Downloads$ gpg --verify desktop.sha256sums.sig desktop.sha256sums gpg: Signature made Fri 07 Dec 2018 10:58:25 AM EET gpg: using RSA key 57CE4D9CD8D276B4 gpg: Good signature from "Andrew Lyon <firstname.lastname@example.org>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: DEDF 113E 5424 8344 1637 16B5 5C66 FAD1 3222 D757 Subkey fingerprint: B25B DF8F 8BB7 7454 ACFF BA84 57CE 4D9C D8D2 76B4
Am I doing something wrong or what’s the catch?
Just a sidenote that the sha256 from the txt-file is matching with my download. And I’m running Linux.
Thanks for your time.