On the site it says:


All files are signed with the following OpenPGP<https://en.wikipedia.org/wiki/Pretty_Good_Privacy> keys:

pub   2048R/4BDB27B3 2015-11-25

      Key fingerprint = F7B2 754C 7DE2 8309 1466  1F0E A71D 9A9D 4BDB 27B3

uid                  Peter Stephenson <p.w.stephenson@ntlworld.com>

sub   2048R/4C58D718 2015-11-25



pub   rsa3072 2013-06-11 [SC] [expires: 2020-07-01]

      E96646BE08C0AF0AA0F90788A5FEEE3AC7937444

uid           [ unknown] Daniel Shahaf

uid           [ unknown] Daniel Shahaf

sub   rsa3072 2013-06-11 [E] [expires: 2020-07-01]

sub   rsa4032 2017-06-28 [S] [expires: 2020-07-01]

But I get:


~/Downloads$ gpg --verify zsh-5.6.2.tar.xz.asc zsh-5.6.2.tar.xz

gpg: Signature made Fri Sep 14 05:58:34 2018 PDT

gpg:                using RSA key 6EB60B637CE5ACBF2449A2DADB27E997429AF20C

gpg: key A5FEEE3AC7937444: 26 signatures not checked due to missing keys

gpg: key A5FEEE3AC7937444: public key "Daniel Shahaf <danielsh@apache.org>" imported

gpg: marginals needed: 3  completes needed: 1  trust model: pgp

gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u

gpg: next trustdb check due at 2022-10-02

gpg: Total number processed: 1

gpg:               imported: 1

gpg: Good signature from "Daniel Shahaf <danielsh@apache.org>" [unknown]

gpg:                 aka "Daniel Shahaf <d.s@daniel.shahaf.name>" [unknown]

gpg: WARNING: This key is not certified with a trusted signature!

gpg:          There is no indication that the signature belongs to the owner.

Primary key fingerprint: E966 46BE 08C0 AF0A A0F9  0788 A5FE EE3A C793 7444

     Subkey fingerprint: 6EB6 0B63 7CE5 ACBF 2449  A2DA DB27 E997 429A F20C

Is there a concern here?

Thank you!

Clark