Can't verify the signature of gitea binary as per instructions

[oreza]

• Gitea version (or commit ref): 1.13.2-linux-amd64
• Git version: 2.25.1
• Operating system: Ubuntu 20.04.2 LTS
• Database (use [x]):
  • PostgreSQL
  • MySQL
  • MSSQL
  • SQLite
• Can you reproduce the bug at https://try.gitea.io:
  • Yes (provide example URL)
  • No
• Log gist:

Description

Can't verify the signature of gitea binary as per instructions

Steps:
1 - gpg --keyserver keys.openpgp.org --recv 7C9E68152594688862D62AF62D9AE806EC1592E2
2 - Download gitea-1.13.2-linux-amd64.asc
3 - Download gitea-1.13.2-linux-amd64
4 - gpg --verify gitea-1.13.2-linux-amd64.asc gitea-1.13.2-linux-amd64

gpg: Signature made Tue 02 Feb 2021 12:37:53 AM UTC
gpg:                using RSA key CC64B1DB67ABBEECAB24B6455FC346329753F4B0
gpg: Good signature from "Teabot <[email protected]>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 7C9E 6815 2594 6888 62D6  2AF6 2D9A E806 EC15 92E2
     Subkey fingerprint: CC64 B1DB 67AB BEEC AB24  B645 5FC3 4632 9753 F4B0

[zeripath]

This is not true. Gpg is verifying the signature as good.

What it's reporting is that you don't trust the key that verifies that signature.

That's your gpg trust level for [email protected] not ours.

We've listed the gpg key in as many places as we can - keys.openpgp.org won't let you search for a key by email address unless a nonce sent to that email can be verified with the private key - we're on the sks pool and I think you can get the key on gitea.com too.

Your level of whether you want to trust this key as the gitea project is up to you - I think we've done all we can to reasonably assure that this is the gitea project's key and so you should raise your personal trust level for the key - but gpg is telling you that it verifies signature.

[oreza]

Thank you