I was unable to find a fingerprint for
pkgs.fedoraproject.org. Since the
risk is low, I'll start doing work and check it retroactively.
I think there should be some comment in the documentation about what the
project expects maintainers to do with regard to using it to avoid
man in the middle attacks.