Gpg: WARNING: This key is not certified with a trusted signature!

I just installed Linux Mint and immediately installed the bravebrowser and purged firefox. Then I decided to check the verify the signature. So I copied the code and this is what I got:

l@k:~/bin$ curl -fsSLO “https://dl.brave.com/install.sh{,.asc}” && gpg --keyserver hkps://keys.openpgp.org --recv-keys BF62821AFB16036A4ACABCCC87E072BD82960F4D && gpg --verify install.sh.asc
gpg: key 87E072BD82960F4D: “One Line Installer for Brave (One Line Installer for Brave) [email protected]” not changed
gpg: Total number processed: 1
gpg: unchanged: 1
gpg: assuming signed data in ‘install.sh’
gpg: Signature made Wed 22 Jan 2025 05:07:15 AM PST
gpg: using RSA key BF62821AFB16036A4ACABCCC87E072BD82960F4D
gpg: Good signature from “One Line Installer for Brave (One Line Installer for Brave) [email protected]” [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: BF62 821A FB16 036A 4ACA BCCC 87E0 72BD 8296 0F4D

I suspect something is askew here but on your end?


Description of the issue:
How can this issue be reproduced?

Expected result:

Brave Version( check About Brave):

Additional Information:

I am rusty on this, but the following info may help.

https://serverfault.com/questions/569911/how-to-verify-an-imported-gpg-key

There, scroll down to:

@fmarier of the Brave team, probably can explain better.

That’s right, it basically means that you have not personally verified the signature’s fingerprints and that none of your trusted gpg “contacts” have verified it either.

Sadly, that’s kind of expected given how GPG relies on the idea of a “web of trust” and in-person “keysigning parties” (you can look that up if you want to see what it looks like) which only really work for small technical communities.

The important part is that you are seeing this:

gpg: Good signature from “One Line Installer for Brave (One Line Installer for Brave) [email protected]” [unknown]

That means the script was correctly signed with the key that you received from keys.openpgp.org.

2 Likes

Okay. So that’s the way it is. A bit confusing. Can anything be done to make it less confusing? Or basically we should know how the command works and live with it.

Unfortunately, we’re limited by how the tool (GPG, but more generally OpenPG) works.

[quote=“fmarier, post:3, topic:602190”]
The important part is that you are seeing this:

gpg: Good signature from “One Line Installer for Brave (One Line Installer for Brave) [email protected]” [unknown]

That means the script was correctly signed with the key that you received from keys.openpgp.org.
[/quote]

I had the same issue. Thank you!

When we’re verifying signatures, is there a general rule or pattern? If the signature had been wrong, what would we see?

This is what you would see if the signature was incorrect:

gpg: Signature made Mon 07 Apr 2025 08:31:19 AM PDT
gpg:                using RSA key D16166072CACDF2C9429CBF11BF41E37D039F691
gpg: BAD signature from "One Line Installer for Brave (One Line Installer for Brave) <[email protected]>" [unknown]

If you want to test it out yourself, following these steps:

  1. Download both script and signature: curl -fsSLO "https://dl.brave.com/install.sh{,.asc}"
  2. Download signing key: gpg --keyserver hkps://keys.openpgp.org --recv-keys D16166072CACDF2C9429CBF11BF41E37D039F691
  3. Edit the installer script so that it’s not the one signed by Brave: echo "exit 0" >> install.sh
  4. Attempt to verify the signature: gpg --verify install.sh.asc
1 Like