On Thu, Feb 11, 2021 at 08:52:51AM -0800, Jonathan Ryshpan wrote: > The verification fails with this message: > $ gpg --verify-files *-CHECKSUM > gpg: Signature made Fri 23 Oct 2020 08:09:07 AM PDT > gpg: using RSA key > 963A2BEB02009608FE67EA4249FD77499570FF31 > gpg: Good signature from "Fedora (33) > <fedora-33-primary@xxxxxxxxxxxxxxxxx>" [unknown] > gpg: WARNING: This key is not certified with a trusted signature! > gpg: There is no indication that the signature belongs to the > owner. > Primary key fingerprint: 963A 2BEB 0200 9608 FE67 EA42 49FD 7749 9570 > FF31 > This doesn't look good. How can I verify the CHECKSUM file? GPG's concept of trust is ... well-meaning, but not user friendly. You can trust the key you just imported because you just downloaded it from the official Fedora website via https. GPG, however, does not know that. So, it gives this error. You can use the `gpg --edit-key` command to tell it to trust this key, if you wanto to not get that warning. -- Matthew Miller <mattdm@xxxxxxxxxxxxxxxxx> Fedora Project Leader _______________________________________________ users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
