Jonathan Ryshpan wrote:
> On Fri, 2021-06-25 at 22:25 -0400, Todd Zullinger wrote:
>> There's nothing wrong with that output.  The warning is
>> simply telling you that the Fedora key isn't signed by a key
>> you've marked as trusted.
...
> 
> Just as I thought.   So...
> 
> How do I mark a key as trusted?

One way is to add a local signature to the Fedora keys,
assuming you have a gpg key yourself.  However, I would
simply take the warning for what it is and not sign the
Fedora keys.

> What precautions are needed to be sure that the key should
> actually be trusted?

From https://getfedora.org/en/security/, you can view the
fingerprints of the currently active keys Fedora uses for
signing the CHECKSUM files.  To check the fingerprint for
the Fedora 34 key, for example:

    $ gpg --list-key --with-fingerprint 45719A39
    pub   rsa4096 2020-08-06 [SCE]
          8C5B A699 0BDB 26E1 9F2A  1A80 1161 AE69 4571 9A39
    uid           [ unknown] Fedora (34) <fedora-34-prim...@fedoraproject.org>

It's worth noting that you're effectively trusting the TLS
certificate of getfedora.org in this process.  And if you're
doing that to get the signatures, you can just as well trust
it when you download the fedora.gpg file.  It's not bad to
check the fingerprints, it's just good to be aware of how
much (or how little) additional security it gets you.

-- 
Todd

Attachment: signature.asc
Description: PGP signature

_______________________________________________
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Reply via email to