I’ve been following the /Dev/Build_Documentation
in order to build Whonix within Debian bookworm for arm64. Following the guide I’ve imported the necessary signatures and followed the verification steps. The output I get in the terminal for both the verify-tag
and verify-commit
commands made me raise an eyebrow… here’s what I see:
~/derivative-maker$ git verify-tag 17.2.0.7-stable
gpg: Signature made Wed 31 Jul 2024 09:12:24 AM EDT
gpg: using RSA key 6E979B28A6F37C43BE30AFA1CB8D50BB77BB3C48
gpg: issuer "adrelanos@whonix.org"
gpg: Good signature from "Patrick Schleizer <adrelanos@kicksecure.com>" [unknown]
gpg: aka "Patrick Schleizer <adrelanos@riseup.net>" [unknown]
gpg: aka "Patrick Schleizer <adrelanos@whonix.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 916B 8D99 C38E AF5E 8ADC 7A2A 8D66 066A 2EEA CCDA
Subkey fingerprint: 6E97 9B28 A6F3 7C43 BE30 AFA1 CB8D 50BB 77BB 3C48
and
~/derivative-maker$ git verify-commit 17.2.0.7-stable^{commit}
gpg: Signature made Sun 28 Jul 2024 07:36:05 PM EDT
gpg: using RSA key 6E979B28A6F37C43BE30AFA1CB8D50BB77BB3C48
gpg: issuer "adrelanos@whonix.org"
gpg: Good signature from "Patrick Schleizer <adrelanos@kicksecure.com>" [unknown]
gpg: aka "Patrick Schleizer <adrelanos@riseup.net>" [unknown]
gpg: aka "Patrick Schleizer <adrelanos@whonix.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 916B 8D99 C38E AF5E 8ADC 7A2A 8D66 066A 2EEA CCDA
Subkey fingerprint: 6E97 9B28 A6F3 7C43 BE30 AFA1 CB8D 50BB 77BB 3C48
Particularly this:
WARNING: This key is not certified with a trusted signature!
There is no indication that the signature belongs to the owner.
I’m unsure on how to interpret this output. Please advice