David SMITH dave.smith at
Wed Mar 18 18:04:04 CET 2009

On Wed, Mar 18, 2009 at 05:24:12PM +0530, Vinay M wrote:
> Hi,
> When I run command "gpg --verify <file.sig>" I get the below mentioned
> warning.
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg:          There is no indication that the signature belongs to the
> owner.
> 1. I want to avoid this warning. How do I do that ?
> 2. Is this avoidable if I go with a trusted signature?
> 3. What does this warning exactly mean ?

It means that you haven't signed the key that you are using to check the
signature, and GnuPG isn't able to validate the key with your web-of-trust.

Going back to basics for a moment...

You have got this signed file from somewhere.

You have also obtained the key which claims to be from the sender.  You
might have got the key from a public keyserver, or possibly from
somewhere else.

How do you know that the key really is owned by the person it claims?
Anyone can upload a key to a keyserver claiming to be from anyone.
I could upload a key to a keyserver with the id "president at"
and you would then download it.  You need to build yourself a
web-of-trust by doing some keysigning.

I suggest reading the GNU Privacy Handbook, on the GnuPG website, and
if you still have questions, come back and ask...

David Smith        | Tel: +44 (0)1454 462380    Home: +44 (0)1454 616963
STMicroelectronics | Fax: +44 (0)1454 462305  Mobile: +44 (0)7932 642724
1000 Aztec West    | TINA: 065 2380          GPG Key: 0xF13192F2
Almondsbury        | Work Email: Dave.Smith at
BRISTOL, BS32 4SQ  | Home Email: David.Smith at

More information about the Gnupg-users mailing list