Hi, I am trying to verify my download but despite having done this for other downloads I can’t seem to work out how to do it with the cryptomator .appimage and .asc
The download page gives me two files and a sig:
https://dl.bintray.com/cryptomator/cryptomator/1.5.5/cryptomator-1.5.5-x86_64.AppImage (the software)
https://dl.bintray.com/cryptomator/cryptomator/1.5.5/cryptomator-1.5.5-x86_64.AppImage.asc (the PGP sig)
And sig as text: d1e88605f00b29987e6229d086a1148b9a679b5f50e7f4f4a1121e80db9ad44e
If I type this command in, I think it should provide me with a hash I can check?
gpg --verify cryptomator-1.5.5-x86_64.AppImage.asc cryptomator-1.5.5-x86_64.AppImage
It gives me
gpg: Signature made Wed 27 May 2020 12:18:24 BST using RSA key ID 34C80F11
gpg: Good signature from "Cryptobot (Release Manager) <releases@cryptomator.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 5054 3A3D A4B1 DB81 DA3E 79CB 509C 9D63 34C8 0F11
But where do I check this fingerprint to? The sig? It isn’t the same?
I am confused and would suggest maybe an explanation of how to check the authenticity is posted on the download page… ?