Why GPG signature is not considered as made by a trusted key?

Question

When I verify a file signature I get the the following warning:

$ gpg --verify file.sig
gpg: Signature made So 01 Dez 2019 10:08:27 CET
gpg:                using RSA key <Pierre's key ID>
gpg: Good signature from "Pierre <pierre@example.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: <Pierre's key fingerprint>

I have signed Pierre's key (with a certificate level check 1):

$ gpg --list-signatures pierre@example.com | grep andrew
sig 1        5E091391A98EBD4E 2019-10-22  Andrew 'raindev' Barchuk <andrew@raindev.io>

And my own key is marked as ultimately trusted:

$ gpg --list-keys 5E091391A98EBD4E
pub   rsa2048 2017-10-19 [SC] [expires: 2021-10-21]
      0954F96BC41612E2299383945E091391A98EBD4E
      uid           [ultimate] Andrew 'raindev' Barchuk <andrew@raindev.io>
      sub   rsa2048 2017-10-19 [E] [expires: 2021-10-21]
      sub   rsa2048 2017-10-19 [S] [expires: 2021-10-21]

To my understanding it's safe to trust the signature as it's made by a key I have signed. What's the reason I get the warning and how do I get rid of it?

This is a FAQ. See: https://security.stackexchange.com/questions/147447/gpg-why-is-my-trusted-key-not-certified-with-a-trusted-signature or https://security.stackexchange.com/questions/45533/gpg-good-signature-but-warning-untrusted-signature or https://security.stackexchange.com/questions/6841/ways-to-sign-gpg-public-key-so-it-is-trusted — Jari Turkia, Jul 27 '23 at 06:15

Why GPG signature is not considered as made by a trusted key?

0 Answers0