Gpg: WARNING: This key is not certified with a trusted signature!

PassingThrough · March 4, 2025, 6:22pm

I just installed Linux Mint and immediately installed the bravebrowser and purged firefox. Then I decided to check the verify the signature. So I copied the code and this is what I got:

l@k:~/bin$ curl -fsSLO “https://dl.brave.com/install.sh{,.asc}” && gpg --keyserver hkps://keys.openpgp.org --recv-keys BF62821AFB16036A4ACABCCC87E072BD82960F4D && gpg --verify install.sh.asc
gpg: key 87E072BD82960F4D: “One Line Installer for Brave (One Line Installer for Brave) [email protected]” not changed
gpg: Total number processed: 1
gpg: unchanged: 1
gpg: assuming signed data in ‘install.sh’
gpg: Signature made Wed 22 Jan 2025 05:07:15 AM PST
gpg: using RSA key BF62821AFB16036A4ACABCCC87E072BD82960F4D
gpg: Good signature from “One Line Installer for Brave (One Line Installer for Brave) [email protected]” [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: BF62 821A FB16 036A 4ACA BCCC 87E0 72BD 8296 0F4D

I suspect something is askew here but on your end?

Description of the issue:
How can this issue be reproduced?

Expected result:

Brave Version( check About Brave):

Additional Information:

289wk · March 4, 2025, 10:03pm

I am rusty on this, but the following info may help.

https://serverfault.com/questions/569911/how-to-verify-an-imported-gpg-key

There, scroll down to:

@fmarier of the Brave team, probably can explain better.

fmarier · March 4, 2025, 11:48pm

That’s right, it basically means that you have not personally verified the signature’s fingerprints and that none of your trusted gpg “contacts” have verified it either.

Sadly, that’s kind of expected given how GPG relies on the idea of a “web of trust” and in-person “keysigning parties” (you can look that up if you want to see what it looks like) which only really work for small technical communities.

The important part is that you are seeing this:

gpg: Good signature from “One Line Installer for Brave (One Line Installer for Brave) [email protected]” [unknown]

That means the script was correctly signed with the key that you received from keys.openpgp.org.

PassingThrough · March 5, 2025, 11:09pm

Okay. So that’s the way it is. A bit confusing. Can anything be done to make it less confusing? Or basically we should know how the command works and live with it.

fmarier · March 6, 2025, 7:21pm

Unfortunately, we’re limited by how the tool (GPG, but more generally OpenPG) works.

Topic		Replies	Views
New GPG key for Debian derived Linux users Browser Support linux	2	2970	March 8, 2020
Cannot install Brave on Ubuntu 20.04.6 LTS Desktop Support linux	5	1664	May 6, 2023
[HELP] An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://brave-browser-apt-release.s3.brave.com bionic InRelease: The following signatures were invalid Desktop Support linux	5	12911	May 6, 2019
How to verify whether I am using a original brave browser Desktop Support linux	1	521	April 11, 2021
Can't install brave on linux Browser Support linux	3	1437	January 16, 2021
Installation problem related to key?	2	1201	October 7, 2021
Install problems on Linux Mint 21.0 Browser Support linux	1	603	March 22, 2021
Trouble installing brave on ubuntu Browser Support linux	1	355	March 1, 2021

Gpg: WARNING: This key is not certified with a trusted signature!

Related topics