On Thu, Feb 11, 2021 at 08:52:51AM -0800, Jonathan Ryshpan wrote:
> The verification fails with this message:
> $ gpg --verify-files *-CHECKSUM
> gpg: Signature made Fri 23 Oct 2020 08:09:07 AM PDT
> gpg:                using RSA key
> 963A2BEB02009608FE67EA4249FD77499570FF31
> gpg: Good signature from "Fedora (33)
> <fedora-33-primary@fedoraproject.org>" [unknown]
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg:          There is no indication that the signature belongs to the
> owner.
> Primary key fingerprint: 963A 2BEB 0200 9608 FE67  EA42 49FD 7749 9570
> FF31
> This doesn't look good.  How can I verify the CHECKSUM file?

GPG's concept of trust is ... well-meaning, but not user friendly. You can
trust the key you just imported because you just downloaded it from the
official Fedora website via https. GPG, however, does not know that. So, it
gives this error. You can use the `gpg --edit-key` command to tell it to
trust this key, if you wanto to not get that warning.