OK, perhaps I have missed "the how" and "which" somewhere, but which signature am I supposed to verify the new Tor 0.2.5.3 tarball against? I tried the ones mentioned on Tor signing page and none seem to stick. A typical message is: # gpg --verify tor-0.2.5.3-alpha.tar.gz{.asc,} gpg: Signature made Sun 23 Mar 2014 02:40:49 AM UTC using RSA key ID 8D29319A gpg: Good signature from "Nick Mathewson <nickm@alum.mit.edu>" gpg: aka "Nick Mathewson <nickm@wangafu.net>" gpg: aka "Nick Mathewson <nickm@freehaven.net>" gpg: aka "[jpeg image of size 3369]" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: B35B F85B F194 89D0 4E28 C33C 2119 4EBB 1657 33EA Subkey fingerprint: EF00 F369 1387 FCC5 8CD6 8E13 9103 97D8 8D29 319A