The Fedora Project currently provides cleartext signatures to verify the ISO files. I recommend the Fedora Project additionally provide detached signatures due to the security issues with cleartext signatures.
From the GnuPG manual.
Note: When verifying a cleartext signature, gpg verifies only what makes up the
cleartext signed data and not any extra data outside of the cleartext signature
or the header lines directly following the dash marker line. The option --output
may be used to write out the actual signed data, but there are other pitfalls
with this format as well. It is suggested to avoid cleartext signatures in favor
of detached signatures.
As a result, an attack or malicious mirror could insert arbitrary data outside of the header lines without causing the signature verification to fail. For example, a file containing the following data would verify successfully with the Fedora 40 GPG key.
# INSERTED!!! INCORRECT HASH!!!
SHA256 (Fedora-Workstation-Live-x86_64-40-1.14.iso) = dd1faca950d1a8c3d169adf2df4c3644ebb62f8aac04c401f2393e521395d444
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
# Fedora-Workstation-Live-osb-40-1.14.x86_64.iso: 2623733760 bytes
SHA256 (Fedora-Workstation-Live-osb-40-1.14.x86_64.iso) = 8d3cb4d99f27eb932064915bc9ad34a7529d5d073a390896152a8a899518573f
# Fedora-Workstation-Live-x86_64-40-1.14.iso: 2295853056 bytes
SHA256 (Fedora-Workstation-Live-x86_64-40-1.14.iso) = dd1faca950d1a8c3d169adf2df4c3644ebb62f8aac04c401f2393e521395d613
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEEV35rvhXhT7oRF0KBydwfqFbecwFAmYisFcACgkQBydwfqFb
ecxHAhAAuyBb34jmvnR7GTfHfkUjh2s+oyn47Ytj7mhhNSwvg63utYdYbqQs2htS
oplomvcO0lt0vBeHjXGLUL4PeGhPWO/4As9hM7QjdqdRGUiZLYdVv44qzmApesWm
QU+tl9b76cf/QzUOcGSlGrhYWKZ+sZ/Ke9G81WQOlThcwUcVHVDwwJtsHShpsa8e
0WefRZiR3+qRxLxuzBtN7K7lXTBXzAqF4rTPZeBHSQ6oiLnKc8dARMxucov20MQx
MDQfmXXz7zNWilKjucurEuQxYGUkzl08kAHEZbeF4sgkaEqnWerovj7hdgyhW4Fx
Riw7t7B2Y2rMpJmRsH9loGATmB2g+4TyLDcOr8uQvLMTj3ytUw1GD+yPsxv4z2ik
Lx9MPllA+GGaMMUKfUThHLlZMvBOXYymbOlKZVHX/78I+G6t5efmn77v6R2SwgW3
V43/QNJld3+J6V68sk3g3KFpGbrvPoEzYYMXOTzy5gHGB3ppuvdDldgzFKwi2Dsy
LIlORoGpBsLSi6SUGPXw3i/UG04lnna3nX5I0sZMWV2kVbTziI9vit8nichcAXQs
qG2yuINwFxVxC7Gf76n0OIjy5dyapaJfCHWerGFy5cFQbuAv5JvfvBocLm3a58hh
Xfc5x/jQjnRPYBg9o2dA1kEwmoA76yR9apSoqNQtACdnVMMhzrA=
=HgqN
-----END PGP SIGNATURE-----
A naive user may incorrectly assume the entire file has been successfully verified and may erroneously trust the arbitrarily inserted data. Users should visually inspect their checksum files to ensure no arbitrary data has been inserted outside of the header lines or they should extract the signed data using the --output
option.
GnuPG cleartext signatures have also suffered from vulnerabilities in the past. CVE-2006-049 is explained in detail on the GnuPG mailing list.
Signature verification of non-detached signatures may give a positive
result but when extracting the signed data, this data may be prepended
or appended with extra data not covered by the signature. Thus it is
possible for an attacker to take any signed message and inject extra
arbitrary data.Detached signatures (a separate signature file) are not affected.
All versions of gnupg prior to 1.4.2.2 are affected.
Scripts and applications using gpg to verify the integrity of data are
affected. This includes applications using the GPGME library[2].The GnuPG version 1.9.x is not affected unless the currently
deprecated gpg part has been enabled.
The cleartext signature format was fraught with issues in the past and has poor usability in the present. It is more secure and usable to provide a detached signature for the ISO files.
As an example, signature verification would proceed as follows.
gpp --verify Fedora-Workstation-Live-x86_64-40-1.14.iso.sig Fedora-Workstation-Live-x86_64-40-1.14.iso
Thank you all for reading my post.
Doby Mick