Hi,

Just trying to figure out how to verify the Fedora 34 mate spin.

Looking through the pages you get after going to the mate spin, it
suggests <https://spins.fedoraproject.org/en/verify>, the instructions
aren't coherent, and don't work as written.

There's what looks like it's simply a heading saying Verify 64-bit iso,
but that's actually a clickable link to download the checksum file.
Not well written.

Then it says to import the GPG keys.  That works.

$ curl https://getfedora.org/static/fedora.gpg | gpg --import

Then it sends you to another page to verify the GPG keys.

https://getfedora.org/en/security/

It gives the same curl command as above.

Asks you to verify the checksum file is valid, but since you haven't
downloaded the checksum file you can't.  It imported it directly into
GPG.  There's no instructions that you need to *separately* download
the keys and verify them (if you want to verify them).  And, really,
you should do that step before importing them.  And, you're importing
unknown untrusted keys, anyway.

Trying to follow that page is a hotchpotch of reading through the page,
scrolling up and down, referring to something written below the
instructions, going back to reread the instructions, and flick between
pages.  Fair enough to put the quick list of steps you'll go through at
the top, but put the full sequence, *in* the sequence that you'll do
it, further down the page.

Then going back to the verify page to try and figure out how to verify
the mate spin.  The wildcard "sha256sum -c *-CHECKSUM" command gives
you way too much output, there's lots of failed notices about the other
spins you don't have, with yours buried somewhere in the middle.
Surely there's a better way to filter that down to just show the output
of files its actually checking, rather than all the files it looked
for.

I've gone through three different webpages just to verify one download.