Verifying source code

I’ve been following the /Dev/Build_Documentation in order to build Whonix within Debian bookworm for arm64. Following the guide I’ve imported the necessary signatures and followed the verification steps. The output I get in the terminal for both the verify-tag and verify-commit commands made me raise an eyebrow… here’s what I see:

~/derivative-maker$ git verify-tag 17.2.0.7-stable
gpg: Signature made Wed 31 Jul 2024 09:12:24 AM EDT
gpg:                using RSA key 6E979B28A6F37C43BE30AFA1CB8D50BB77BB3C48
gpg:                issuer "adrelanos@whonix.org"
gpg: Good signature from "Patrick Schleizer <adrelanos@kicksecure.com>" [unknown]
gpg:                 aka "Patrick Schleizer <adrelanos@riseup.net>" [unknown]
gpg:                 aka "Patrick Schleizer <adrelanos@whonix.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 916B 8D99 C38E AF5E 8ADC  7A2A 8D66 066A 2EEA CCDA
     Subkey fingerprint: 6E97 9B28 A6F3 7C43 BE30  AFA1 CB8D 50BB 77BB 3C48

and

~/derivative-maker$ git verify-commit 17.2.0.7-stable^{commit}
gpg: Signature made Sun 28 Jul 2024 07:36:05 PM EDT
gpg:                using RSA key 6E979B28A6F37C43BE30AFA1CB8D50BB77BB3C48
gpg:                issuer "adrelanos@whonix.org"
gpg: Good signature from "Patrick Schleizer <adrelanos@kicksecure.com>" [unknown]
gpg:                 aka "Patrick Schleizer <adrelanos@riseup.net>" [unknown]
gpg:                 aka "Patrick Schleizer <adrelanos@whonix.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 916B 8D99 C38E AF5E 8ADC  7A2A 8D66 066A 2EEA CCDA
     Subkey fingerprint: 6E97 9B28 A6F3 7C43 BE30  AFA1 CB8D 50BB 77BB 3C48

Particularly this:

WARNING: This key is not certified with a trusted signature!
There is no indication that the signature belongs to the owner.

I’m unsure on how to interpret this output. Please advice :pray:

You can find this message discussed on the internet probably hundreds of times. → Utilize Search Engines and Documentation

Similar instructions with more detail:

If you want to be serious about digital software verification, reading the following is “mandatory”:

1 Like