Just for the record, here is the audit log of one of the files in question which cannot be verified:
gpg: Signature made 17 Jun 2023 11.51.51 PM GMT Daylight Time
gpg: using RSA key D8F3DA77AAC6741053599C136E4A2D025B7CC9A2
gpg: Good signature from “sledgehammer_999 (Used for signing git commits/tags/etc) hammered999@gmail.com” [unknown]
gpg: aka “sledgehammer999 (Used for signing qBittorrent source tarballs and binaries v2.) sledgehammer999@qbittorrent.org” [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: D8F3 DA77 AAC6 7410 5359 9C13 6E4A 2D02 5B7C C9A2
I showed this to someone and was told that the key is valid, I just haven’t “trusted” his public key. Is that correct?
The signature is valid as gpg tells you “Good signature from …” but this only means that somebody has correctly signed the software, it does not tell you who signed it, only which key was used.
If you want the warning regarding the ownership of that key to go away you need to:
Verify that the owner of that key is who you think it is by comparing the fingerprint via another channel.
And then in Kleopatra right-click on their public key → certify to certify that the key belongs to the right person.
This has nothing to do with the “certification power” or trust which both are terms used in connection with the web of trust. They relate to if you want to trust their certifications of other keys. You do not need this for verifying your software downloads.
Well, people handle this differently and it depends on the context and
your level of paranoia how you do it.
Basically you check if the fingerprint for the public key you
downloaded, which is shown in the details of that key in Kleopatra, is
the same as the fingerprint of that person’s key you get from somewhere
else.
That somewhere else might e.g. be a business card you got from them at
an event. In your case - I guess you do not know the developer of the
software - you have to choose a less secure or a more complicated way.
The easiest: You can just decide to trust the key and certify it
You will then notice in the future if the signature has changed, when
you download and verify software from that site again.
The concept’s name is “Trust on first use” https://en.wikipedia.org/wiki/Trust_on_first_use .
Go ahead and read that article if you want to learn more, it also links
to the more complicated concept of web of trust.
I would check if the fingerprint of the key is given somewhere else than
where I got the download, too, and both match with the one
Kleopatra shows me, e.g. on the download page and the projects git
repository.
Certifying a key is easiest done in Kleopatra: just right-click the
public key in the certificate list and choose “Certify”. In the new
window the fingerprint is shown for easy comparison and you have to
click “Certify” again. That’s it.
