| |
@@ -901,7 +901,7 @@
|
| |
$(p).html("Import Fedora's GPG keys");
|
| |
code = document.createElement('code');
|
| |
pre = document.createElement('pre');
|
| |
- $(code).html("curl https://getfedora.org/static/fedora.gpg | gpg --import")
|
| |
+ $(code).html("curl -O https://getfedora.org/static/fedora.gpg")
|
| |
.appendTo(pre);
|
| |
$(p).appendTo(li);
|
| |
$(pre).appendTo(li);
|
| |
@@ -913,7 +913,7 @@
|
| |
$(p).html("Verify the signature is valid");
|
| |
code = document.createElement('code');
|
| |
pre = document.createElement('pre');
|
| |
- $(code).html("gpg --verify " + getFilename(displayDownloads.signature) + " " + getFilename(displayDownloads.location))
|
| |
+ $(code).html("gpgv --keyring ./fedora.gpg " + getFilename(displayDownloads.signature) + " " + getFilename(displayDownloads.location))
|
| |
.appendTo(pre);
|
| |
$(p).appendTo(li);
|
| |
$(pre).appendTo(li);
|
| |
The
gpgv
command is designed to simply verify OpenPGP signatures. Ittakes a keyring as an option and then any number of signed files and
verifies the signatures based on the keys in the given keyring.
Using
gpgv
allows the instructions to be simplified and avoids thefollowing confusing output from the currently recommended method:
The
gpgv
command expects the --keyring argument to be an un-armoredkeyblock. This means dropping the ascii-armor from fedora.gpg (which is
more in line with the .gpg extension anyway). For users who still wish
to pull fedora.gpg and import it to their keyring, the un-armored
keyblock works just as well.
The updated instructions are:
The output from gpgv is:
Users no longer have to fiddle with marking the Fedora keys as trusted
in gpg nor do we have to explain why the large "WARNING" from gpg is
okay to ignore¹.
¹ https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org/message/MPSGTW42RP4U75ZHUAHDMFIP6TTUW23Y/
Signed-off-by: Todd Zullinger tmz@pobox.com