Sublime Forum

Help with gpg error when verifying gpg signature for Linux tarballs

#1

Hello, I’m wanting to install Sublime Text using the portable method outlined in the unofficial documentation installation guide so I can try it out before I purchase it. I am new to actually using signatures with gpg. (I have used SHA256 hashes, but that’s about it.)
I followed a guide to get a grasp on how to use the .gpg and .sig to verify the download here: [https://signmycode.com/resources/steps-to-verify-the-digital-signature-of-a-file-in-windows-and-linux]

Ran the command:
$> gpg --import sublimehq-pub.gpg
Which succeeded.

Then I ran the following command:
$> gpg --verify sublime_text_build_4169_x64.tar.xz.asc sublime_text_build_4169_x64.tar.xz
Which got the following output:

gpg: Signature made Thu 23 Nov 2023 04:03:12 PM CST
gpg:                using RSA key F57D4F59BD3DF454
gpg: Good signature from "Sublime HQ Pty Ltd <support@sublimetext.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: <fingerprint removed>
     Subkey fingerprint: <fingerprint differed from Primary, removed>
  1. What does this mean (Should I give attention to it, or is it just the way the package was signed and doesn’t matter)?
  2. Have I done everything I should when importing the key into the keyring with gpg?
  3. Anything else I am missing or advice on better practice using this key with Sublime Text?

I installed it in a Debian virtual machine and it seems to work fine with the most basic test, so it seems fine. But, for the sake of at least learning, since I’m still new to this concept and I’m trying to develop my programming skills also, any input would be greatly appreciated.

0 Likes

#2

As you can see from the output the signature is good, but the trust level for our key is “unknown”. See: https://security.stackexchange.com/questions/147447/gpg-why-is-my-trusted-key-not-certified-with-a-trusted-signature

0 Likes

#3

Sorry to bring up this older thread, but I just wanted to acknowledge what you said bschaaf.
I had seen that post before you linked it but because I just had too many other things I was trying to understand at the moment and couldn’t quite understand everything I needed to, so I had to step away for a while. However, looking at that link again, it did have all the information needed I just wasn’t able to dive that deep at that moment. I appreciate the information you linked to though.

0 Likes