[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: certification of signatures

mike wrote:
> I have a real basic question about verifying your download for Fedora 7,
> 8 and 9.  I'm new to keys, signatures, certification, etc. and I haven't
> been able to find what I need in the Fedora help resources.  Apologies  
> if this is the wrong place to post or if a similar post appears (not  
> sure that it was lost).
> The following is for Fedora 9.  I downloaded the iso on May 8th and  
> SHA1SUM on September 2 from the Kent mirrorservice in the UK.
> If I follow the instructions at http://fedoraproject.org/en/verify I get:
> [mike desktop iso]$ gpg --verify SHA1SUM
> gpg: Signature made Thu 08 May 2008 03:03:44 BST using DSA key ID 4F2A6FD2
> gpg: Good signature from "Fedora Project <fedora redhat com>"
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg:          There is no indication that the signature belongs to the
> owner.
> Primary key fingerprint: CAB4 4B99 6F27 744E 8612  7CDF B442 69D0 4F2A 6FD2
> [mike desktop iso]$
> My question is do I need to worry about the lack of certification?

That really depends on how cautious you want to be.

> If I do how do I check that the signature is certified?

You can verify the fedora gpg keys by following the steps at:


The key used to sign the Fedora 9 and earlier isos is now in the
"Obsolete keys" section, but the fingerprint information on that page
is still accurate.

> Also, does this have  anything to do with the migration to new
> package keys?


Though if you download Fedora 10 Beta, you'll find that it is signed
with a new key, which is not mentioned on the /verify page.  This will
hopefully be fixed┬╣ before Fedora 10 is released.

┬╣ https://fedorahosted.org/fedora-infrastructure/ticket/888

Todd        OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
A cynic is a man who, when he smells flowers, looks around for a
    -- H. L. Mencken

Attachment: pgpwk22a5rliX.pgp
Description: PGP signature

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]