Jonathan Ryshpan wrote:
On Fri, 2021-06-25 at 22:25 -0400, Todd Zullinger wrote:
> There's nothing wrong with that output. The warning is
> simply telling you that the Fedora key isn't signed by a key
> you've marked as trusted.
...
Just as I thought. So...
How do I mark a key as trusted?
One way is to add a local signature to the Fedora keys,
assuming you have a gpg key yourself. However, I would
simply take the warning for what it is and not sign the
Fedora keys.
What precautions are needed to be sure that the key should
actually be trusted?
From
https://getfedora.org/en/security/, you can view the
fingerprints of the currently active keys Fedora uses for
signing the CHECKSUM files. To check the fingerprint for
the Fedora 34 key, for example:
$ gpg --list-key --with-fingerprint 45719A39
pub rsa4096 2020-08-06 [SCE]
8C5B A699 0BDB 26E1 9F2A 1A80 1161 AE69 4571 9A39
uid [ unknown] Fedora (34) <fedora-34-primary(a)fedoraproject.org>
It's worth noting that you're effectively trusting the TLS
certificate of
getfedora.org in this process. And if you're
doing that to get the signatures, you can just as well trust
it when you download the fedora.gpg file. It's not bad to
check the fingerprints, it's just good to be aware of how
much (or how little) additional security it gets you.
--
Todd