When you see the message "This key is not certified with a trusted signature", it means the key hasn't been manually marked as trusted in your keyring. GPG uses a web of trust model where you need to explicitly trust keys.
gpg --edit-key 189CDBC5
gpg> trust
Your decision? 5
gpg> quit
For production environments, you should follow this verification process:
- Obtain the key from multiple independent sources
- Verify the fingerprint matches official documentation
- Sign the key with your own key to establish trust
To inspect key details including expiration:
gpg --list-keys --with-colons 189CDBC5 | grep -E '^(pub|sub|sig|exp)'Or for human-readable format:
gpg --list-keys --with-keygrip 189CDBC5When a key expires or needs updating:
# Refresh keys from keyserver
gpg --keyserver hkp://keyserver.ubuntu.com --refresh-keys
# Or update specific key
gpg --recv-keys 189CDBC5For the Internet Systems Consortium key mentioned:
# Import the key
curl -s https://www.isc.org/keys/isc-key-2023.asc | gpg --import
# Verify the fingerprint matches documentation
gpg --fingerprint 189CDBC5
# Set trust level
gpg --edit-key 189CDBC5 trust quit
# Verify signatures
gpg --verify package.tar.gz.sig package.tar.gzFor CI/CD pipelines, consider this verification script:
#!/bin/bash
KEY_ID="189CDBC5"
EXPECTED_FP="2B48A38AE1CF9886435F89EE45AC7857189CDBC5"
# Verify key exists
if ! gpg --list-keys "$KEY_ID" >/dev/null 2>&1; then
gpg --keyserver hkp://keyserver.ubuntu.com --recv-keys "$KEY_ID"
fi
# Check fingerprint
ACTUAL_FP=$(gpg --fingerprint "$KEY_ID" | grep -E '^ +Key fingerprint =' | cut -d= -f2 | tr -d ' ')
if [ "$ACTUAL_FP" != "$EXPECTED_FP" ]; then
echo "Fingerprint verification failed!"
exit 1
fi
# Verify signature
gpg --verify "$1" "$2" || exit 1When you see the message "This key is not certified with a trusted signature", it indicates a fundamental security concept in GPG/PGP systems. The verification command you executed:
gpg --verify bind-9.9.4-P2.tar.gz.sha512.asc bind-9.9.4-P2.copiedlink.tar.gz
gpg: Signature made Fri 03 Jan 2014 01:58:50 PM PST using RSA key ID 189CDBC5
gpg: Good signature from "Internet Systems Consortium, Inc. (Signing key, 2013) "
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 2B48 A38A E1CF 9886 435F 89EE 45AC 7857 189C DBC5
The "Good signature" confirms cryptographic validity, while the warning indicates missing trust in the key's authenticity. This is normal for newly imported keys.
To mark a key as trusted, you need to:
- Verify the key fingerprint through independent channels (official website, key servers)
- Sign the key locally to establish trust
First, check the key details:
gpg --fingerprint 189CDBC5Then sign the key after verification:
gpg --sign-key 189CDBC5This creates a local trust signature. For more formal verification, consider key signing parties or the Web of Trust.
To check key expiration dates:
gpg --list-keys --with-colons 189CDBC5 | grep -E '^(pub|sub):'Sample output showing expiration:
pub:f:4096:1:45AC7857189CDBC5:1388534400:1704067200::u:::scESC::::::23::0:
sub:f:4096:1:9F4D4CAB189CDBC5:1388534400:1704067200:::::e::::::23:The 5th and 6th colon-separated fields represent creation and expiration timestamps (Unix epoch).
When keys expire or need updating:
# Refresh keys from keyservers
gpg --keyserver hkp://keyserver.ubuntu.com --refresh-keys
# For manual updates, first delete the old key
gpg --delete-key 189CDBC5
# Then import the new version
gpg --import updated_key.ascFor scripting purposes, use this verification pattern:
#!/bin/bash
VERIFICATION=$(gpg --status-fd 1 --verify file.sig file 2>/dev/null)
if echo "$VERIFICATION" | grep -q "GOODSIG"; then
echo "Valid signature"
if echo "$VERIFICATION" | grep -q "VALIDSIG"; then
echo "Fully trusted signature"
else
echo "Untrusted (but valid) signature"
fi
else
echo "Invalid signature"
exit 1
fi