Jonathan Ryshpan wrote:
While verifying my download of Fedora-34, I encounter this message:
$ gpg --verify-files *-CHECKSUM
gpg: Signature made Fri 23 Apr 2021 12:36:44 PM PDT
gpg: using RSA key 8C5BA6990BDB26E19F2A1A801161AE6945719A39
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 8C5B A699 0BDB 26E1 9F2A 1A80 1161 AE69 4571 9A39
I surmise this means that my computer's list of trusted signatures
needs to be brought up to date (actually it may not even exist). How
can this be done? A link to info would suffice.
There's nothing wrong with that output. The warning is
simply telling you that the Fedora key isn't signed by a key
you've marked as trusted.
As an aside, we (the royal we, as in folks in the Fedora
community who maintain the website) should change the
verification step to recommend gpgv rather than the gpg
command. It would require making the fedora.gpg a
de-armored file, but then it the instructions would be
simpler.
Just as I thought. So...
How do I mark a key as trusted? What precautions are needed to be sure that the key should actually be trusted?