Re: Verifying a Fedora-33 Image

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Matthew Miller wrote:
> GPG's concept of trust is ... well-meaning, but not user friendly. You can
> trust the key you just imported because you just downloaded it from the
> official Fedora website via https. GPG, however, does not know that. So, it
> gives this error. You can use the `gpg --edit-key` command to tell it to
> trust this key, if you wanto to not get that warning.

It's a shame that gpgv doesn't support ascii-armored
keyrings¹, or we could save a step and suggest:

    $ curl -O https://getfedora.org/static/fedora.gpg
    $ gpgv --keyring ./fedora.gpg CHECKSUM

As it is, we'd need to either suggest de-armoring the
keyring first or switch to provide a non-armored fedora gpg
keyring on the website.  Doing the latter would seem like an
easy win in terms of making the verification steps simpler.
And we could always keep the ascii-armored content as
fedora.asc if we wanted.

I don't know why we name the keyring fedora.gpg and not
fedora.asc since it's ascii-armored, to be honest.

(I contributed to the website code surrounding the
verification steps many years ago, and I still don't recall
why that's the case.  It appears that I had the --armor
option in the initial version of the update-gpg-keys script
I contributed.  That might have just been keeping the
status-quo, as the fedora.gpg file existed prior to the
script, it was simply managed much more manually.)

If fedora.gpg was not ascii-armored, the above gpgv command
looks like this:

    $ gpgv --keyring ./fedora.gpg Fedora-Spins-33-1.2-x86_64-CHECKSUM 
    gpgv: Signature made Fri Oct 23 15:09:07 2020 UTC
    gpgv:                using RSA key 963A2BEB02009608FE67EA4249FD77499570FF31
    gpgv: Good signature from "Fedora (33) <fedora-33-primary@xxxxxxxxxxxxxxxxx>"

Alternately, we _could_ suggest adding `--trust-model
always` to the gpg command, though that still prints a
warning:

    $ gpg --trust-model always --verify-files Fedora-Spins-33-1.2-x86_64-CHECKSUM 
    gpg: Signature made Fri Oct 23 15:09:07 2020 UTC
    gpg:                using RSA key 963A2BEB02009608FE67EA4249FD77499570FF31
    gpg: Good signature from "Fedora (33) <fedora-33-primary@xxxxxxxxxxxxxxxxx>" [unknown]
    gpg: WARNING: Using untrusted key!

¹ https://dev.gnupg.org/T2290 has been around for years and
  was just lowered in priority yesterday -- in case anyone
  feels like submitting a patch. ;)

-- 
Todd

Attachment: signature.asc
Description: PGP signature

_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux