> ...gpg: Signature made Sat 05 May 2018 10:08:32 PM EEST > gpg: using RSA key DDFD4F61F24F0D9F > gpg: Can't check signature: No public key...
Note that while it's good to have our keys in our KEYS file, they can also be retrieved from public key servers if they have been uploaded there, in this case: $ gpg --keyserver pgp.surfnet.nl --recv-key DDFD4F61F24F0D9F gpg: requesting key F24F0D9F from hkp server pgp.surfnet.nl gpg: key F24F0D9F: public key "David Bosschaert (CODE SIGNING KEY) <dav...@apache.org>" imported gpg: no ultimately trusted keys found gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1) -Bertrand