security: use gpgv to verify CHECKSUM signatures
The `gpgv` command is designed to simply verify OpenPGP signatures. It
takes a keyring as an option and then any number of signed files and
verifies the signatures based on the keys in the given keyring.
Using `gpgv` allows the instructions to be simplified and avoids the
following confusing output from the currently recommended method:
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
The `gpgv` command expects the --keyring argument to be an un-armored
keyblock. This means dropping the ascii-armor from fedora.gpg (which is
more in line with the .gpg extension anyway). For users who still wish
to pull fedora.gpg and import it to their keyring, the un-armored
keyblock works just as well.
The updated instructions are:
$ curl -O https://getfedora.org/static/fedora.gpg
$ gpgv --keyring ./fedora.gpg *-CHECKSUM
The output from gpgv is:
$ gpgv --keyring ./fedora.gpg *-CHECKSUM
gpgv: Signature made Fri 19 Mar 2021 10:10:28 AM EDT
gpgv: using RSA key 8C5BA6990BDB26E19F2A1A801161AE6945719A39
gpgv: Good signature from "Fedora (34) <fedora-34-primary@fedoraproject.org>"
Users no longer have to fiddle with marking the Fedora keys as trusted
in gpg nor do we have to explain why the large "WARNING" from gpg is
okay to ignore¹.
¹ https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org/message/MPSGTW42RP4U75ZHUAHDMFIP6TTUW23Y/
Signed-off-by: Todd Zullinger <tmz@pobox.com>