Hi - I've followed the example 'How to verify PC Engines Open Source Firmware Release v22.214.171.124 signature' at https://asciinema.org/a/303584. The last stage fails as shown below with This key is not certified with a trusted signature!. Grateful for any pointers to getting this to work. This is on Debian 4.19.98-1 (2020-01-26) x86_64 GNU/Linux.
bigsy@bigsy:~/downloads/apu$ gpg -v --verify apu2_v126.96.36.199.SHA256.sig apu2_v188.8.131.52.SHA256
gpg: Signature made Fri 21 Feb 2020 16:04:04 GMT
gpg: using RSA key 0A8E0CDC16E1EDC8C8E209D115B7A4BC249E3AD6
gpg: using pgp trust model
gpg: Good signature from "PC Engines Open Source Firmware Release 4.11 Signing Key" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 0A8E 0CDC 16E1 EDC8 C8E2 09D1 15B7 A4BC 249E 3AD6
gpg: binary signature, digest algorithm SHA512, key algorithm rsa4096