If I download the main Jetty tar.gz (http://download.eclipse.org/jetty/stable-9/dist/
), and then the signature file, and then run `gpg --verify` ... it says it's a good signature, but how do I know it wasn't just tampered with and resigned by some random person? How do I know that this is the right key?
gpg: Signature made Fri 05 Sep 2014 03:02:06 PM UTC using DSA key ID D7C58886
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 5DE5 33CB 43DA F8BC 3E37 2283 E7AE 839C D7C5 8886