Question about verifying the ISO

notabot · March 28, 2026, 7:23pm

Hi,

I just wanted to check a small detail about verifying the iso.
I have downloaded the checksum and pgp/gpg files.
but as per

I have run
gpg --with-fingerprint --show-keys --keyid-format long fedora.gpg

Comparing the output to whats listed on the site, the fingerprint should be
ID:rsa4096/31645531 2024-08-10
Fingerprint:
C6E7F081CF80E13146676E88829B606631645531
DNS Record:72dec291ea5c80f07dca832be132f5c6cb6d43713ec4843dff82d7ee._openpgpkey.fedoraproject.org

For me the id does not match at all, but the fingerprint does. No dns record is shown for me, Is that expected?

Thanks

vgaetera · March 28, 2026, 7:42pm

Here are the relevant DNS records:

notabot · March 28, 2026, 7:49pm

Hi,

thanks for your reply. I am not entirely sure what your referring to, if you could clarify?

vgaetera · March 28, 2026, 7:58pm

This is a method for distributing PGP keys:

> dig +short -t OPENPGPKEY -q \
72dec291ea5c80f07dca832be132f5c6cb6d43713ec4843dff82d7ee.\
_openpgpkey.fedoraproject.org | base64 -d -i | gpg --show-key
pub   rsa4096 2024-08-10 [SCE]
      C6E7F081CF80E13146676E88829B606631645531
uid                      Fedora (43) <fedora-43-primary@fedoraproject.org>

glb · March 28, 2026, 8:03pm

Yes, that is expected. The DNS record is just provided as another means of fetching the key for verification.

You could, for example, use a dig command like the following to query the DNS record.

dig -t openpgpkey 72dec291ea5c80f07dca832be132f5c6cb6d43713ec4843dff82d7ee._openpgpkey.fedoraproject.org +short | base64 -id | gpg --show-keys

I think the idea is that providing multiple sources for retrieving the keys should make it more difficult for a hacker to fake all the sources and provide false data.

As for the difference in the ID string, that needs to be fixed on the website. The website is showing the short form of the ID (just the last 8 hex digits of the fingerprint).

Edit: Valdislav beat me to figuring out the dig command.

notabot · March 28, 2026, 8:12pm

Thanks for clarifying,

I did not even notice the id matched only the last 8 digits.
That makes sense to have other means to check the certs.

Thanks

notabot · March 28, 2026, 8:13pm

Ah I see, so its another way of fetching the signature/cert. It is just how it all comes together, fair enough.

Thanks

Topic		Replies	Views
Info verifica gpg checksum fedora Ask in Other Languages italiano	2	583	November 8, 2021
Fedora verification process Ask Fedora installation , security , gpg	13	2885	February 3, 2025
How to verify Fedora 40 package signing keys Ask Fedora kde	5	4262	June 2, 2024
Verifying download Fedora-KDE iso download error Ask Fedora kde , installation	3	589	April 27, 2024
Image Checksum not identical Ask Fedora amd , intel , workstation	1	539	October 1, 2023

Question about verifying the ISO

Related topics