$ gpg --verify bro-2.5.4.tar.gz.asc
gpg: assuming signed data in 'bro-2.5.4.tar.gz'
gpg: Signature made Wed May 30 11:32:36 2018 EDT
gpg: using RSA key C68B494DF56ACC7E
gpg: Good signature from "The Bro Team <info@bro.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 962F D218 7ED5 A1DD 82FC 478A 33F1 5EAE F8CB 8019
Subkey fingerprint: E969 0B2B 7D8A C1A1 9F92 1C4A C68B 494D F56A CC7E
$
I follwed your example, it did this…not the same response
cmm$ gpg --verify bro-2.5.4.tar.gz.asc
gpg: assuming signed data in ‘bro-2.5.4.tar.gz’
gpg: Signature made Wed May 30 08:32:36 2018 PDT
gpg: using RSA key C68B494DF56ACC7E
gpg: Can’t check signature: No public key
Charlie
ps.
In the email verification I recieved when I signed up for bro.org whoever created it/sent it put my
account password in there, no encryption, just right there, bold as brass.
It looks like you need to import the Bro public key into your GPG keyring.
As far as the password goes, this is the warning displayed right under the password prompt when you register:
You may enter a privacy password below. This provides only mild security, but should prevent others from messing with your subscription. Do not use a valuable password as it will occasionally be emailed back to you in cleartext.
If you choose not to enter a password, one will be automatically generated for you, and it will be sent to you once you’ve confirmed your subscription. You can always request a mail-back of your password when you edit your personal options. Once a month, your password will be emailed to you as a reminder.