How to verify Fedora 40 package signing keys

Could someone please help me verify if my Fedora 40 dnf package signing key is correct, please.

In previous versions of Fedora I’m used to the first run of dnf on a new install to import the key and display a fingerprint which I can verify is correct on the Fedora site.

I just installed Fedora 40 and I did not get any verification challenge on the first run. I’m installing from the KDE Spin live ISO, which has been verified valid. I not well versed in gpg and am concerned I did not have the opportunity to verify the fingerprint. I’ve done the below, but don’t know how to get a fingerprint to compare to the project website.

Have there been changes in version 40 or is this an anomaly? Thanks for your help.

I ran sudo dnf config-manager --dump", and I see "gpgcheck = 1.

sudo rpm -qa gpg* displays gpg-pubkey-a15b79cc-63d04c2c

sudo rpm -qi gpg-pubkey-a15b79cc-63d04c2c displays:

Name        : gpg-pubkey
Version     : a15b79cc
Release     : 63d04c2c
Architecture: (none)
Install Date: Sun 14 Apr 2024 04:04:30 PM MST
Group       : Public Keys
Size        : 0
License     : pubkey
Signature   : (none)
Source RPM  : (none)
Build Date  : Tue 24 Jan 2023 02:22:52 PM MST
Build Host  : localhost
Packager    : Fedora (40) <fedora-40-primary@fedoraproject.org>
Summary     : Fedora (40) <fedora-40-primary@fedoraproject.org> public key
Description :
-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBGPQTCwBEADFUL0EQLzwpKHtlPkacVI156F2LnWp6K69g/6yzllidHI3b7EV
QgQ9/Kdou6wNuOahNKa6WcEi6grEXexD7pAcu4xdRUp79XxQy5pC7Aq2/Dwf0vRL
2y0kqof+C7iSzhHsfLoaqKKeh2njAo1KLZXYTHAWAMbXEyO/FJevaHLXe2+yYd7j
luD58gyXgGDXXJ2lymLqs2jobjWdmGPNZGFl36RP3Dnk0FpbdH78kyIIsc2foYuF
00rnuumwCtK3V58VOZo6IkaYk2irdyeetmJjVHwLHwJB3EaAwGy9Z2oAH3LxxFfk
rQb0DH0Nzb3fpEziopOOqSi+6guV4RHUKAkCUMu+Mo5XwFVPUAIfNRTVqoIaEasC
WO26lhkB87wwIvyb/TPGSeh6laHPRf0QOUOLkugdkSHoaJFWoTCcu9Y4aeDpf+ZQ
fMVmkJNRS1tXONgz+pDk1rro/tNrkusYG18xjvSZTB0P0C4b4+jgK5l7me0NU6G3
Ww/hIng5lxWfXgE9bpxlN834v1xy5Z3v17guJu1ec/jzKzQQ4356wyegXURjYoWe
awcnK1S+9gxivnkOk1bGLNxrEh5vB6PDcI1VQ1ECH50EHyvE1IXJDaaStdAkacv2
qHcd15CnlBW1LYFj0CHs/sGu9FD0iSF95OVRX4gjg9Wa4f8KvtEO/f+FeQARAQAB
tDFGZWRvcmEgKDQwKSA8ZmVkb3JhLTQwLXByaW1hcnlAZmVkb3JhcHJvamVjdC5v
cmc+iQJOBBMBCAA4FiEEEV35rvhXhT7oRF0KBydwfqFbecwFAmPQTCwCGw8FCwkI
BwIGFQoJCAsCBBYCAwECHgECF4AACgkQBydwfqFbecxJOw//XaoJG3zN01bVM63H
nFmMW/EnLzKrZqH8ZNq8CP9ycoc4q8SYcMprHKG9jufzj5/FhtpYecp3kBMpSYHt
Vu46LS9NajJDwdfvUMezVbieNIQ8icTR5s5IUYFlc47eG6PRe3k0n5fOPcIb6q82
byrK3dQnanOcVdoGU7QO9LAAHO9hg0zgZa0MxQAlDQov3dZcr7u7qGcQmU5JzcRS
JgfDxHxDuMjmq6Kd0/UwD00kd2ptZgRls0ntXdm9CZGtQ/Q0baJ3eRzccpd/8bxy
RWF9MnOdmV6ojcFKYECjEzcuheUlcKQH9rLkeBSfgrIlK3L7LG8bg5ouZLdx17rQ
XABNQGmJTaGAiEnS/48G3roMS8R7fhUljcKr6t63QQQJ2qWdPvI6EMC2xKZsLHK4
XiUvrmJpUprvEQSKBUOf/2zuXDBshtAnoKh7h5aG+TvozL4yNG5DKpSH3MRj1E43
KoMsP/GN/X5h+vJnvhiCWxNMPP81Op0czBAgukBm627FTnsvieJOOrzyxb1s75+W
56gJombmhzUfzr88AYY9mFy7diTw/oldDZcfwa8rvOAGJVDlyr2hqkLoGl+5jPex
slt3NF4caE/wP9wPMgFRkmMOr8eiRhjlWLrO6mQdBp7Qsj3kEXioP+CZ1cv/sbaK
4DM7VidB4PLrMFQMaf0LpjpC2DM=
=wOl2
-----END PGP PUBLIC KEY BLOCK-----

If you installed directly from the iso image from fedora you may rest assured that all the included packages are valid. This is confirmed when you do the checksum verification of the downloaded iso before burning it to the usb device.

After the installation when you do an update using either dnf or the software manager (discover ?) it manages that check for you.

There has never been a method provided that I am aware of for the user to directly verify the gpg key during the installation since the iso itself is verified during creation, has the means to have the checksum verified after download, and the software manager also verifies packages checksums and gpg signatures during updates.

During previous earlier version installs, on first run of dnf I’ve always seen a message similar to the following. This example is from a very early version I found searching for solutions, but is similar to what I’ve seen in Fedora 39 installs. I’m certain I’ve seen similar challenges in CentOS Stream installs too.

Importing GPG key 0x12C944D0:
Userid : “Fedora (32) ”
Fingerprint: 97A1 AE57 C3A2 372C CA3A 4ABA 6C13 026D 12C9 44D0
From : /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-32-x86_64
Is this ok [y/N]:

From there, I’m used to confirming the fingerprint on this page - Fedora keeps you safe | The Fedora Project

I’ve done 2 installs of Fedora 40 KDE spin now, neither prompted me on first run of dnf update for this challenge.

This comment is only seen when the key in question has not already been installed/imported. A new install should not require that. An upgrade from an earlier version usually does require that.

The install that prompted be to reach out to this community is on a new HP laptop with secure boot enabled. I just ran 3 additional test installs on VMs.

1. Fedora 40 KDE spin. Does not ask to verify key fingerprint check.
2. Fedora 39 KDE spin. Does ask to verify fingerprint.
3. Fedora 40 Workstation. Does not ask to verify fingerprint.

Basing my concern on dozen or so installations I’ve done on recent versions of Fedora and CentOS products, it appears Fedora 40 is behaving differently. All new installs from ISO, no upgrades.

My findings may be anecdotal, but I can’t help but think there may be some methodology change in the process. Maybe I follow too much tech security news, but the method by which I can verify that updates are being handled securely is the basis of my trust in the OS.

You can check the fingerprints of the imported keys against the ones listed here:
Fedora keeps you safe | The Fedora Project

Then check the GPG signatures of all installed packages against the imported keys:

rpm -q -a --qf "%{NAME}-%{VERSION}-%{RELEASE}.%{ARCH}\
\t%{DSAHEADER:pgpsig}\t%{RSAHEADER:pgpsig}\n" \
| grep -v -f <(rpm -q --qf "%{VERSION}\n" gpg-pubkey)

That should list only unsigned packages and ones with untrusted signatures.

Thank you. Using that query I was able to verify that all signatures match and everything is as expected.

I appreciate your help.