OK everyone. For as long as I've been a member here and for as long as I've been playing with Linux I've downloaded and burned hundreds of CD and DVD ISO files. Rarely, extremely rarely, have I verified my downloads. So rarely that I'd need to find a how-to to be able to do it. Today I downloaded F15 Alpha and the checksum file. I followed the instructions here (https://fedoraproject.org/en/verify) and below is the result.

[glenn@server ~>$ curl https://fedoraproject.org/static/fedora.gpg | gpg --import
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 13131 100 13131 0 0 17289 0 --:--:-- --:--:-- --:--:-- 20842
gpg: key E8E40FDE: "Fedora (13) <fedora@fedoraproject.org>" not changed
gpg: key 97A1071F: "Fedora (14) <fedora@fedoraproject.org>" not changed
gpg: key FDB36B03: "Fedora (14-s390x) <fedora@fedoraproject.org>" not changed
gpg: key 069C8460: "Fedora (15) <fedora@fedoraproject.org>" not changed
gpg: key 3AD31D0B: "Fedora-SPARC (15) <fedora@fedoraproject.org>" not changed
gpg: key 217521F6: "Fedora EPEL <epel@fedoraproject.org>" not changed
gpg: key 0608B895: "EPEL (6) <epel@fedoraproject.org>" not changed
gpg: Total number processed: 7
gpg: unchanged: 7
[glenn@server ~>$ gpg --verify *-CHECKSUM
gpg: Signature made Wed 02 Mar 2011 10:34:51 PM EST using RSA key ID 069C8460
gpg: Good signature from "Fedora (15) <fedora@fedoraproject.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 25DB B54B DED7 0987 F4C1 0042 B4EB F579 069C 8460
[glenn@server ~>$ sha256sum -c *-CHECKSUM
Fedora-15-Alpha-i386-DVD.iso: OK
sha256sum: Fedora-15-Alpha-i386-netinst.iso: No such file or directory
Fedora-15-Alpha-i386-netinst.iso: FAILED open or read
sha256sum: WARNING: 1 of 2 listed files could not be read

I'm thinking I'm good based on the red text and the fact that there is no netinstall ISO so I can ignore messages relating to that. The blue text raises some !!! though. I'm going ahead with burning the DVD anyhow. Just looking for input from those experienced with sha256sum.

I think it's all good. To me, it means that even though the key was imported into your gpg keyring and was used to verify the hash file, the key itself has not been assigned a level of trust by you. Since it's a fedora key downloaded from fedoraproject.org, I don't really think any of this is a big deal. In fact, the only keys that I have are Fedora and RPM Fusion keys and all of those were installed in my /etc/pki/rpm-gpg folder by Fedora and RPM Fusion. As you know, I had to agree to import them into my RPM database when I first used them to install packages from their repos. But I never bother importing those keys into my gpg keyring, so I sure don't bother assigning them levels of trust. But I just now did it for fun and learning.

Anyway, I guess all of this becomes more important for keys obtained from other sources or from keyservers. For that, you can verify a key's fingerprint. You can use the gpg --fingerprint command (or somtimes the command is gpg2) to list your keys and their fingerprints for comparison. Fedora and RPM Fusion publish their key fingerprints. For keys from people or other sources, you might have to contact them by phone or email. A hopelessly paranoid person might even want to meet with the person to personally receive that person's key and/or its fingerprint.$ gpg2 --fingerprint 0x97A1071F
pub 4096R/97A1071F 2010-07-23
Key fingerprint = 235C 2936 B4B7 0E61 B373 A020 421C ADDB 97A1 071F
uid Fedora (14) <fedora@fedoraproject.org>From https://fedoraproject.org/keys...

http://forums.fedoraforum.org/attachment.php?attachmentid=20801&stc=1&d=1299889406

So here's what I think (which may not be worth much when the forum experts discover this thread and weigh in)... You can safely ignore those key warnings because you got the key directly from fedoraproject.org. Or, if you like, you can use the gpg --edit-key <key here> command and then use its trust command to enter a high level of trust for those keys that you got directly from fedoraproject.org. Then those warnings should stop. Try it.$ gpg2 --edit-key 0x97A1071F
gpg (GnuPG) 2.0.16; Copyright (C) 2009 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.


pub 4096R/97A1071F created: 2010-07-23 expires: never usage: SCE
trust: unknown validity: unknown
[ unknown] (1). Fedora (14) <fedora@fedoraproject.org>

gpg> trust
pub 4096R/97A1071F created: 2010-07-23 expires: never usage: SCE
trust: unknown validity: unknown
[ unknown] (1). Fedora (14) <fedora@fedoraproject.org>

Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)

1 = I don't know or won't say
2 = I do NOT trust
3 = I trust marginally
4 = I trust fully
5 = I trust ultimately
m = back to the main menu

Your decision? 4

pub 4096R/97A1071F created: 2010-07-23 expires: never usage: SCE
trust: full validity: unknown
[ unknown] (1). Fedora (14) <fedora@fedoraproject.org>
Please note that the shown key validity is not necessarily correct
unless you restart the program.

gpg> quitSo now we both know how to use a fingerprint to verify a key to verify a hash file to verify an iso file to install an operating system and software that we have no choice but to trust blindly..
.
.

Hello Stoat. Still trying to absorb all you've written in the previous post. Thanks for taking the time. In the meanwhile I got a bit curious about the aforementioned errors and decided to download the netinst.iso just so it would exist in the same folder as the full install iso. Then I could run sha256sum against both to see the outcome. Here's the result.
[glenn@server ~>$ sha256sum -c *-CHECKSUM
Fedora-15-Alpha-i386-DVD.iso: OK
Fedora-15-Alpha-i386-netinst.iso: OK
What a difference. A knew that the reason 1 of 2 failed was because 1 of 2 didn't exist.

Off to read and experiment some more.

What a difference. A knew that the reason 1 of 2 failed was because 1 of 2 didn't exist. I didn't realize that you were referring to that. Sorry. I was looking at the red and blue stuff. No worries though because I have always wanted to sort out some of that tangled (in my mind anyway) GPG stuff. I feel better now, but there's lots more. It's fairly deep water (for me anyway).