Matthew Miller wrote:
GPG's concept of trust is ... well-meaning, but not user
friendly. You can
trust the key you just imported because you just downloaded it from the
official Fedora website via https. GPG, however, does not know that. So, it
gives this error. You can use the `gpg --edit-key` command to tell it to
trust this key, if you wanto to not get that warning.
It's a shame that gpgv doesn't support ascii-armored
keyrings¹, or we could save a step and suggest:
$ curl -O
https://getfedora.org/static/fedora.gpg
$ gpgv --keyring ./fedora.gpg CHECKSUM
As it is, we'd need to either suggest de-armoring the
keyring first or switch to provide a non-armored fedora gpg
keyring on the website. Doing the latter would seem like an
easy win in terms of making the verification steps simpler.
And we could always keep the ascii-armored content as
fedora.asc if we wanted.
I don't know why we name the keyring fedora.gpg and not
fedora.asc since it's ascii-armored, to be honest.
(I contributed to the website code surrounding the
verification steps many years ago, and I still don't recall
why that's the case. It appears that I had the --armor
option in the initial version of the update-gpg-keys script
I contributed. That might have just been keeping the
status-quo, as the fedora.gpg file existed prior to the
script, it was simply managed much more manually.)
If fedora.gpg was not ascii-armored, the above gpgv command
looks like this:
$ gpgv --keyring ./fedora.gpg Fedora-Spins-33-1.2-x86_64-CHECKSUM
gpgv: Signature made Fri Oct 23 15:09:07 2020 UTC
gpgv: using RSA key 963A2BEB02009608FE67EA4249FD77499570FF31
gpgv: Good signature from "Fedora (33)
<fedora-33-primary(a)fedoraproject.org>"
Alternately, we _could_ suggest adding `--trust-model
always` to the gpg command, though that still prints a
warning:
$ gpg --trust-model always --verify-files Fedora-Spins-33-1.2-x86_64-CHECKSUM
gpg: Signature made Fri Oct 23 15:09:07 2020 UTC
gpg: using RSA key 963A2BEB02009608FE67EA4249FD77499570FF31
gpg: Good signature from "Fedora (33)
<fedora-33-primary(a)fedoraproject.org>" [unknown]
gpg: WARNING: Using untrusted key!
¹
https://dev.gnupg.org/T2290 has been around for years and
was just lowered in priority yesterday -- in case anyone
feels like submitting a patch. ;)
--
Todd