Skip to content

PGP key mismatch?

https://poppler.freedesktop.org/ says

The tarball has been signed (.sig file) by Albert Astals Cid CA262C6C83DE4D2FB28A332A3A6A4DB839EAA6D7.

But:

$ gpg --verify poppler-23.09.0.tar.xz.sig
gpg: assuming signed data in 'poppler-23.09.0.tar.xz'
gpg: Signature made Tue 05 Sep 2023 22:19:04 BST
gpg:                using DSA key 8C817BD535D5A44E9CE2EB63FE5444BE6702161B
gpg: Good signature from "Albert Astals Cid <aacid@kde.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 8C81 7BD5 35D5 A44E 9CE2  EB63 FE54 44BE 6702 161B

8C817BD535D5A44E9CE2EB63FE5444BE6702161B (key used for 23.09.0) != CA262C6C83DE4D2FB28A332A3A6A4DB839EAA6D7 (key listed on the website).

Could you update the fingerprint on the website & the link to the key, if this is intentional? Thanks.