Jonathan Ryshpan wrote: > On Fri, 2021-06-25 at 22:25 -0400, Todd Zullinger wrote: >> There's nothing wrong with that output. The warning is >> simply telling you that the Fedora key isn't signed by a key >> you've marked as trusted. ... > > Just as I thought. So... > > How do I mark a key as trusted? One way is to add a local signature to the Fedora keys, assuming you have a gpg key yourself. However, I would simply take the warning for what it is and not sign the Fedora keys. > What precautions are needed to be sure that the key should > actually be trusted? From https://getfedora.org/en/security/, you can view the fingerprints of the currently active keys Fedora uses for signing the CHECKSUM files. To check the fingerprint for the Fedora 34 key, for example: $ gpg --list-key --with-fingerprint 45719A39 pub rsa4096 2020-08-06 [SCE] 8C5B A699 0BDB 26E1 9F2A 1A80 1161 AE69 4571 9A39 uid [ unknown] Fedora (34) <fedora-34-primary@xxxxxxxxxxxxxxxxx> It's worth noting that you're effectively trusting the TLS certificate of getfedora.org in this process. And if you're doing that to get the signatures, you can just as well trust it when you download the fedora.gpg file. It's not bad to check the fingerprints, it's just good to be aware of how much (or how little) additional security it gets you. -- Todd
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure