gpg4win Download verification

I have downloaded gpg4win-2.3.0 from the official website and tried to verify the signature (after downloading the signature as well, file ending with .exe.sig) - I am getting the following output. Is this valid? or some problem with the download.


gpg --verify gpg4win-2.3.0.exe.sig gpg4win-2.3.0.exe
gpg: Signature made 11/24/15 13:06:13 Central Standard Time using DSA key ID EC70B1B8
gpg: Good signature from “Intevation File Distribution Key distribution-key@intevation.de” unknown
gpg: WARNING: This key is not certified with a trusted signature!
There is no indication that the signature belongs to the owner.
Primary key fingerprint: 61AC 3F5E E4BE 593C 13D6 8B1E 7CBD 620B EC70 B1B8

I checked the past fingerprints as listed on https://www.gnupg.org/signature_key.html - but didn’t found the one above.

My installed version is gpg 2.0.27 <Gpg4win 2.2.4)
libgcrypt 1.6.3…
OS: Windows 7 Home SP1

Thanks,

If this is the first time you are dealing with that signature, it is asking if you trust it. Answer yes if you do. Then it will be a trusted signature and in the future it won’t ask you about that one again.

Curious though as to why the Fingerprint not matching with all versions published so far.

Hi Tap, Hi Greg!

The Gpg4win installer is finally compiled and signed by Intevation
and not by Werner’s g10code. This is why https://www.gnupg.org/signature_key.html
does not have Intevation’s OpenPGP certificate.

One way to verify it (a bit) is using https://ssl.intevation.de
Another is to use the web of trust.

Best,
Bernhard

Thanks to both of you for helping.