Jonathan Ryshpan wrote: > To upgrade from Fedora-37 to Fedora-38 the instructions > (https://docs.fedoraproject.org/en-US/quick-docs/dnf-system-upgrade/) sa > y: > ... > 5. When the new GPG key is imported, you are asked to verify the key’s > fingerprint. Refer to https://getfedora.org/security to do so. > Which never happened. I have continued with the upgrade. Is this safe?
Short answer: Yes. Long answer: While it's good to verify things, it's not a large risk if you skipped it. The fedora-gpg-keys package ships the signing keys for new releases. That is when used by the upgrade process to install the key for the new release. Let's say you started with Fedora 36 and did a clean install. You download the install image and verify it. Once installed, all the package updates are checked using the Fedora 36 signing key. That includes updates to the fedora-gpg-keys package. When you eventually upgrade to either Fedora 37 or 38, the upgrade process uses the signing key from the local disk, which has already been verified by the package signature of the current release. There's a clear chain from the Fedora 36 key to the Fedora 38 key in this case. Unless the Fedora infrastructure has been badly compromised, you're perfectly safe to perform the system upgrade without manually verifying the key fingerprints. It doesn't hurt to verify them, but it's not the end of the world if you don't. And if the Fedora infrastructure is compromised, then checking the fingerprints on what might be a compromised web site isn't really going to help. :) -- Todd
signature.asc
Description: PGP signature
_______________________________________________ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
