I am new to cryptography in general, I have a question about the primary key fingerprint:
I have downloaded Apache Maven and, as they say in the download page, have verified the signature of the public key, using gpg:
user$ gpg --verify apache-maven-3.2.3-bin.tar.gz.asc apache-maven-3.2.3-bin.tar.gz
gpg: Signature made Tue Aug 12 00:59:35 2014 MSK using DSA key ID BB617866
gpg: Good signature from "Someone <email@maven.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: FB11 D4BB 7B24 4678 337A AD8B C7BF 26D0 BB61 7866
Now, I read from http://www.apache.org/dev/release-signing#fingerprint that the primary key fingerprint is a digest of the key, easier to read and compare, but my question is:
How should I compare it? I mean, where should I found the counterpart against whom I should compare the fingerprint "FB11 D4BB 7B24 4678 337A AD8B C7BF 26D0 BB61 7866"?
The public keys of the Maven developers are linked on top of the download page.
It only contains the short IDs, which are not sufficient to verify keys, but help you at looking up which key was used. To do so, delete this key (it probably already was fetched from the key servers during verifying the signature):
gpg --delete-keys [keyid]
Now prepare importing this key, by copying the public key block matching to the key ID given above to a file of your choice. This file should afterwards contain:
-----BEGIN PGP PUBLIC KEY BLOCK-----
[snip]
-----END PGP PUBLIC KEY BLOCK-----
Now import using gpg --import [file]. Now run gpg --fingerprint [keyid], it should print the same fingerprint given in the output of the signature verification.