While verifying my download of Fedora-34, I encounter this message: $ gpg --verify-files *-CHECKSUM gpg: Signature made Fri 23 Apr 2021 12:36:44 PM PDT gpg: using RSA key 8C5BA6990BDB26E19F2A1A801161AE6945719A39 gpg: Good signature from "Fedora (34) fedora-34-primary@fedoraproject.org" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 8C5B A699 0BDB 26E1 9F2A 1A80 1161 AE69 4571 9A39 I surmise this means that my computer's list of trusted signatures needs to be brought up to date (actually it may not even exist). How can this be done? A link to info would suffice.
Hi,
Jonathan Ryshpan wrote:
While verifying my download of Fedora-34, I encounter this message: $ gpg --verify-files *-CHECKSUM gpg: Signature made Fri 23 Apr 2021 12:36:44 PM PDT gpg: using RSA key 8C5BA6990BDB26E19F2A1A801161AE6945719A39 gpg: Good signature from "Fedora (34) fedora-34-primary@fedoraproject.org" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 8C5B A699 0BDB 26E1 9F2A 1A80 1161 AE69 4571 9A39 I surmise this means that my computer's list of trusted signatures needs to be brought up to date (actually it may not even exist). How can this be done? A link to info would suffice.
There's nothing wrong with that output. The warning is simply telling you that the Fedora key isn't signed by a key you've marked as trusted.
As an aside, we (the royal we, as in folks in the Fedora community who maintain the website) should change the verification step to recommend gpgv rather than the gpg command. It would require making the fedora.gpg a de-armored file, but then it the instructions would be simpler.
On Fri, 2021-06-25 at 22:25 -0400, Todd Zullinger wrote:
Jonathan Ryshpan wrote:
While verifying my download of Fedora-34, I encounter this message: $ gpg --verify-files *-CHECKSUM gpg: Signature made Fri 23 Apr 2021 12:36:44 PM PDT gpg: using RSA key 8C5BA6990BDB26E19F2A1A801161AE6945719A39 gpg: Good signature from "Fedora (34) fedora-34-primary@fedoraproject.org" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 8C5B A699 0BDB 26E1 9F2A 1A80 1161 AE69 4571 9A39 I surmise this means that my computer's list of trusted signatures needs to be brought up to date (actually it may not even exist). How can this be done? A link to info would suffice.
There's nothing wrong with that output. The warning is simply telling you that the Fedora key isn't signed by a key you've marked as trusted.
As an aside, we (the royal we, as in folks in the Fedora community who maintain the website) should change the verification step to recommend gpgv rather than the gpg command. It would require making the fedora.gpg a de-armored file, but then it the instructions would be simpler.
Just as I thought. So...
How do I mark a key as trusted? What precautions are needed to be sure that the key should actually be trusted?
Jonathan Ryshpan wrote:
On Fri, 2021-06-25 at 22:25 -0400, Todd Zullinger wrote:
There's nothing wrong with that output. The warning is simply telling you that the Fedora key isn't signed by a key you've marked as trusted.
...
Just as I thought. So...
How do I mark a key as trusted?
One way is to add a local signature to the Fedora keys, assuming you have a gpg key yourself. However, I would simply take the warning for what it is and not sign the Fedora keys.
What precautions are needed to be sure that the key should actually be trusted?
From https://getfedora.org/en/security/, you can view the fingerprints of the currently active keys Fedora uses for signing the CHECKSUM files. To check the fingerprint for the Fedora 34 key, for example:
$ gpg --list-key --with-fingerprint 45719A39 pub rsa4096 2020-08-06 [SCE] 8C5B A699 0BDB 26E1 9F2A 1A80 1161 AE69 4571 9A39 uid [ unknown] Fedora (34) fedora-34-primary@fedoraproject.org
It's worth noting that you're effectively trusting the TLS certificate of getfedora.org in this process. And if you're doing that to get the signatures, you can just as well trust it when you download the fedora.gpg file. It's not bad to check the fingerprints, it's just good to be aware of how much (or how little) additional security it gets you.
I wrote:
As an aside, we (the royal we, as in folks in the Fedora community who maintain the website) should change the verification step to recommend gpgv rather than the gpg command. It would require making the fedora.gpg a de-armored file, but then it the instructions would be simpler.
I made that suggestion in patch form to the websites team:
https://pagure.io/fedora-web/websites/pull-request/189
On Fri, 2021-06-25 at 22:25 -0400, Todd Zullinger wrote:
As an aside, we (the royal we, as in folks in the Fedora community who maintain the website)
(Very very OT)
I think you mean "we" without the qualification. The "Royal we" doesn't mean "us" but "me", when used by a person of high office. Folk etymology says it refers to "myself and God".
https://en.wikipedia.org/wiki/Royal_we
poc
Patrick O'Callaghan wrote:
On Fri, 2021-06-25 at 22:25 -0400, Todd Zullinger wrote:
As an aside, we (the royal we, as in folks in the Fedora community who maintain the website)
(Very very OT)
I think you mean "we" without the qualification. The "Royal we" doesn't mean "us" but "me", when used by a person of high office. Folk etymology says it refers to "myself and God".
D'oh! Thanks for the tangent and correction.
I could try to argue that I did me mean as I did submit a patch to make the change -- but I don't think anyone would fall for that ruse. :)
And in case there's any question of the patch's authorship, it was mine alone. I didn't have any divine assistance (if I had, it would have gone much quicker).
Cheers,
-
Jonathan Ryshpan -
Patrick O'Callaghan -
Todd Zullinger