Jonathan Ryshpan wrote:
On Fri, 2021-06-25 at 22:25 -0400, Todd Zullinger wrote:
There's nothing wrong with that output. The warning is simply telling you that the Fedora key isn't signed by a key you've marked as trusted.
...
Just as I thought. So...
How do I mark a key as trusted?
One way is to add a local signature to the Fedora keys, assuming you have a gpg key yourself. However, I would simply take the warning for what it is and not sign the Fedora keys.
What precautions are needed to be sure that the key should actually be trusted?
From https://getfedora.org/en/security/, you can view the fingerprints of the currently active keys Fedora uses for signing the CHECKSUM files. To check the fingerprint for the Fedora 34 key, for example:
$ gpg --list-key --with-fingerprint 45719A39 pub rsa4096 2020-08-06 [SCE] 8C5B A699 0BDB 26E1 9F2A 1A80 1161 AE69 4571 9A39 uid [ unknown] Fedora (34) fedora-34-primary@fedoraproject.org
It's worth noting that you're effectively trusting the TLS certificate of getfedora.org in this process. And if you're doing that to get the signatures, you can just as well trust it when you download the fedora.gpg file. It's not bad to check the fingerprints, it's just good to be aware of how much (or how little) additional security it gets you.