Thank you Hoss. I imported the KEYS file using *gpg --import KEYS.txt*. Then I did the *--verify* again. This time I get an output like this:
gpg: Signature made 08/06/12 19:52:21 Pacific Daylight Time using RSA key ID 322 D7ECA gpg: Good signature from "Robert Muir (Code Signing Key) <rm...@apache.org>" *gpg: WARNING: This key is not certified with a trusted signature!* gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 6661 9BA3 C030 DD55 3625 1303 817A E1DD 322D 7ECA Is this acceptable ? Thanks On Wed, Sep 5, 2012 at 5:38 PM, Chris Hostetter <hossman_luc...@fucit.org>wrote: > : I download solr 4.0 beta and the .asc file. I use gpg4win and type this > in > : the command line: > : > : >gpg --verify file.zip file.asc > : > : I get a message like this: > : > : *gpg: Can't check signature: No public key* > > you can verify the asc sig file using the public KEYS file hosted on the > main apache download site (do not trust asc or KEYS from a download > mirror, that defeats the point) > > > https://www.apache.org/dist/lucene/solr/KEYS > > > > -Hoss >