How to use GNU Privacy Guard to verify authenticity of MediaWiki download

Question

I just downloaded the latest version of MediaWiki and want to check it's authenticity. They provide a signature file on their download page http://www.mediawiki.org/wiki/Download. How would one use this with the gpg command on Linux?

Answer 1

The process I have used on Ubuntu 12.04 is as follows

(1) Download the mediawiki code

wget http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.2.tar.gz

(2) Download the signature file

wget http://download.wikimedia.org/mediawiki/1.20/mediawiki-1.20.2.tar.gz.sig

(3) Get the public keys of mediawiki signers

Click on the GPG keys link and then click "Get keys as a text bundle", or just go straight to: https://www.mediawiki.org/keys/keys.txt.

Save the file as keys.txt

(4) Import the public keys

gpg --import keys.txt

(5) Verify the file

gpg --verify mediawiki-1.20.2.tar.gz.sig

This is successful but I do receive the following warning however:

gpg: WARNING: This key is not certified with a trusted signature!<br />
gpg:          There is no indication that the signature belongs to the owner.

Since I downloaded the keys from what I believe to be a trusted source I am not worried about this. There must be a way to mark keys as trusted.