Output from the gpgv --keyring ./fedora.gpg *-CHECKSUM:
gpgv --keyring ./fedora.gpg *-CHECKSUM
$ gpgv --keyring ./fedora.gpg *-CHECKSUM gpgv: Signature made Thu 10 Nov 2022 04:56:12 PM -03 gpgv: using RSA key ACB5EE4E831C74BB7C168D27F55AD3FB5323552A gpgv: Good signature from "Fedora (37) <fedora-37-primary@fedoraproject.org>"
Output from the verify download page:
Fedora 37 id: 4096R/5323552A 2021-08-10 Fingerprint: ACB5 EE4E 831C 74BB 7C16 8D27 F55A D3FB 5323 552A DNS OpenPGPKey: 5dde64bce74cf052cba5361957e81b0fe47a044c63d2a7315cdac7cd._openpgpkey.fedoraproject.org
The fingerprint/RSA key output isn't formatted the way it's shown in the website.
This is a little tricky. Removing the spaces from the fingerprints will match the gpgv output better, but then it doesn't match the DNF output. I'm not sure how to resolve that without listing multiple gpg commands, which may confuse more than it clarifies.
gpgv
gpg
It might be time to submit a change to DNF (or DNF5) which drops the spaces from fingerprints, to better match gpg's default output. Then we could drop them here as well and be consistent.
It could prbably be argued that the verify page shouldn't be concerned with what DNF outputs and should move to fingerprints without spaces now.
I did submit some changes in this area in PR#271 -- particularly 722d437 (security: add gpg command to display fingerprints of downloaded keys, 2022-10-19) -- but they have not been merged. That was close to the F37 release so it may have been left until after the release and then fell off the radar.
If there's a consensus for dropping the spaces from the fingerprint output, I could roll that into the open PR and we could try to get that merged soon after the F38 dust settles.
For your information, the website on this repository (getfedora) is being retired with F38. The new website (fedoraproject.org) is now located at https://gitlab.com/fedora/websites-apps/fedora-websites/fedora-websites-3.0.
If this issue is still impacting the new website, I recommend opening a new ticket here.
Ahh, thank for the info @darknao. I'll have to read up to be able to work on patches for the new site, so I won't be able to properly offer suggestions in patch form in the very near term, unfortunately.
I do believe that the spaces should be removed from the fingerprint output. I've confirmed that DNF5 doesn't display them, so it matches gpg's default output.
Is there a CI/CD pipeline which produced a viewable page where changes may be verified in the new site? I have made the changes locally, but I'm not yet able to generate the content. I can submit the changes to the new location, but I'm always hesitant to do so without having an ability to verify them.
All that said, I did file a merge request at the new location.
Log in to comment on this ticket.