Key not certified with trusted signature

[CraigKnoblauch]

I downloaded the Apache Netbeans IDE from the official site (https://www.apache.org/dyn/closer.cgi/netbeans/netbeans-installers/13/Apache-NetBeans-13-bin-windows-x64.exe)

Following the gpg verification methods, I sourced the keys here: https://downloads.apache.org/netbeans/KEYS
I also sourced the .asc file for netbeans here: https://downloads.apache.org/netbeans/netbeans-installers/13/Apache-NetBeans-13-bin-windows-x64.exe.asc

I imported the keys into gpg, then proceeded to verify:

>gpg --import KEYS
<details about the keys imported>
Total number processed: 16
                        imported: 16
>gpg --verify netbeans.asc Apache-Netbeans-13-bin-windows-x64.exe
...<details about a key that is good but...> ...
WARNING: This key is not certified with a trusted signature

I ran certUtil and compared the hash with the one I sourced here: https://downloads.apache.org/netbeans/netbeans-installers/13/Apache-NetBeans-13-bin-windows-x64.exe.sha512

The hashes are identical.

If the hashes check out, what's wrong with this signature?

[negora]

The signature is OK.

That message is simply telling you that the public key associated to the signature has not been validated. The most immediate way of validating a key is by signing it yourself. However, you should make sure that such key really belongs to the person it claims to belong. How? Using a safe communications channel: in person, using HTTPs... What's safe or not is a bit subjective.