jsha
commented
9 years ago Yes, that's expected. I tried to get GPG to not show the WARNING message, but it's exceedingly hard. I think the correct thing to do is to sign the releases@mozilla.org with --lsign, but in order to do signatures you need a private key generated. And I didn't want having a private key to be a prerequisite of using this. In a future revision I may add auto-generation of a one-off private key per package.
Note: despite the warning, you can trust that the signature is from the right key (within the limitations of the TOFU trust model), because for each package the script only downloads keys once, and then never fetches new keys.
Last few lines below, following the example given. Are these results to be expected?
gpg: keyring `/home/jim/.gpg-download-verifier/firefox/pubring.gpg' created gpg: Signature made Thu 04 Dec 2014 09:03:53 PM EST using RSA key ID 15A0A4BC gpg: requesting key 15A0A4BC from hkps server sks.openpgp-keyserver.de gpg: /home/jim/.gpg-download-verifier/firefox/trustdb.gpg: trustdb created gpg: key 3A06537A: public key "Mozilla Software Releases releases@mozilla.org" imported gpg: no ultimately trusted keys found gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1) gpg: Good signature from "Mozilla Software Releases releases@mozilla.org" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 2B90 598A 745E 992F 315E 22C5 8AB1 3296 3A06 537A Subkey fingerprint: 5445 390E F5D0 C2EC FB8A 6201 057C C3EB 15A0 A4BC