On Thu, 11 Feb 2021 at 15:31, Matthew Miller <mattdm@xxxxxxxxxxxxxxxxx> wrote:
On Thu, Feb 11, 2021 at 08:52:51AM -0800, Jonathan Ryshpan wrote:
> The verification fails with this message:
> $ gpg --verify-files *-CHECKSUM
> gpg: Signature made Fri 23 Oct 2020 08:09:07 AM PDT
> gpg: using RSA key
> 963A2BEB02009608FE67EA4249FD77499570FF31
> gpg: Good signature from "Fedora (33)
> <fedora-33-primary@xxxxxxxxxxxxxxxxx>" [unknown]
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg: There is no indication that the signature belongs to the
> owner.
> Primary key fingerprint: 963A 2BEB 0200 9608 FE67 EA42 49FD 7749 9570
> FF31
> This doesn't look good. How can I verify the CHECKSUM file?
GPG's concept of trust is ... well-meaning, but not user friendly. You can
trust the key you just imported because you just downloaded it from the
official Fedora website via https. GPG, however, does not know that. So, it
gives this error. You can use the `gpg --edit-key` command to tell it to
trust this key, if you wanto to not get that warning.
You don't use the key that often, and there is the small possibility that a
compromise is discovered and the key is no longer trusted. Being a bit
more careful/paranoid, check that the signature still matches the
current official Fedora website via https.
--
George N. White III
_______________________________________________ users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
