Hey Guys,
I have downloaded "kali-linux-2016.1-amd64" from official website of KaliLinux and installed on VMware. I am trying to verify the image as described in the section "Download Kali Linux Images Securely" of website. I am following the below steps:
1. Downloading Kali’s official key using below commands in RED:
$ wget -q -O - https://www.kali.org/archive-key.asc | gpg --import
# or...
$ gpg --keyserver hkp://keys.gnupg.net --recv-key 7D8D0BF6
# ...and verify that the displayed fingerprint matches the one below
$ gpg --list-keys --with-fingerprint 7D8D0BF6
pub 4096R/7D8D0BF6 2012-03-05 [expires: 2018-02-02]
Key fingerprint = 44C6 513A 8E4F B3D3 0875 F758 ED44 4FF0 7D8D 0BF6
uid Kali Linux Repository <[email protected]>
sub 4096R/FC0D0DCB 2012-03-05 [expires: 2018-02-02]
THE OUTPUT IS SAME AS describe above. Then I downloaded SHA1SUMS and SHA1SUMS.gpg from KaliLinux download server "http://cdimage.kali.org/".
Then I continue to 2nd step as below in RED and get the following output:
gpg --verify SHA1SUMS.gpg SHA1SUMS
gpg: Signature made Tuesday 22 March 2016 03:11:12 PM IST using RSA key ID 7D8D0BF6
gpg: Good signature from "Kali Linux Repository <[email protected]>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 44C6 513A 8E4F B3D3 0875 F758 ED44 4FF0 7D8D 0BF6
It says that the signature is good, however, don't belong to the owner.
Now what should I consider by the above output. Is the image verified or am I doing something wrong?
Thanks in advance.