0

I'm trying to verify the Apache POI download using GPG simple installer download (gnupg-w32-2.4.7_20241125.exe for windows from www.gnupg.org)

I've downloaded

  • apache-poi-src-5.3.0-20240625.zip
  • apache-poi-src-5.3.0-20240625.zip.asc and
  • keys.asc

On running the verification command I get the following warning:

Signature made on 06/25/24 07:10:08 Eastern using RSA key ...... Good signature from "PJ Fanning (..apache.org/) [email protected]" [unknown] aka "PJ Fanning (GitHub noreply address) .... aka "PJ Fanning <fanningpj@yahoo,com>" [unknown]

WARNING : This key is not certified with a trusted signature! There is no indication that the signature belongs to the owner. Primary key fingerprint : 6BA4 DA8B 1C88 A494 28A2 9C3D 0C69 C1EF 4118 1E13

Can you advise how I should proceed?

I was following the instructions I'd searched to verify the Apache POI download. I was expecting the verification to succeed.

Improve this question
3
  • The apache-poi-src-5.3.0-20240625.zip SHA-512 checksum matches. Commented Dec 16, 2024 at 22:14
  • Did you tell GPG that you trust signatures from the Apache POI team? Commented Dec 20, 2024 at 21:12
  • Thank you for the response. Re. the comment about telling GPG to trust the signatures.. i thought that was the point of the process.. you need to get confirmation from within the circle of trust that its valid and was generated by the person claiming to have generated it. Commented Dec 27, 2024 at 21:01
Related questions
1
Apache POI zip download failed to verify using gpg?
2
How to compare a primary key fingerprint after verifying a signature with gpg?
2
rvm installation gpg key warning
Load 5 more related questions Show fewer related questions

0

Reset to default

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.