Description of problem: I downloaded the ISO and CHECKSUM files Fedora-18-Alpha-x86_64-Live-CHECKSUM Fedora-18-Alpha-x86_64-Live-KDE.iso from http://mirror.karneval.cz/pub/linux/fedora/linux/releases/test/18-Alpha/Live/x86_64/ I followed the verification instructions from https://fedoraproject.org/en/verify $ curl https://fedoraproject.org/static/fedora.gpg | gpg --import % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 24213 0 0 0 0 0 0 --:--:-- 0:00:08 --:--:-- 0gpg: key 069C8460: "Fedora (15) <fedora>" not changed gpg: key 3AD31D0B: "Fedora-SPARC (15) <fedora>" not changed gpg: key A82BA4B7: "Fedora (16) <fedora>" not changed 100 24213 100 24213 0 0 2727 0 0:00:08 0:00:08 --:--:-- 5636 gpg: key 10D90A9E: "Fedora Secondary (16) <fedora>" not changed gpg: key 1ACA3465: "Fedora (17) <fedora>" not changed gpg: key F8DF67E6: "Fedora Secondary Arch (17) <fedora>" not changed gpg: key 22B3B81A: public key "Fedora (18) <fedora>" imported gpg: key 34E166FA: public key "Fedora Secondary Arch (18) <fedora>" imported gpg: key 217521F6: "Fedora EPEL <epel>" not changed gpg: key 0608B895: "EPEL (6) <epel>" not changed gpg: Total number processed: 10 gpg: imported: 2 (RSA: 2) gpg: unchanged: 8 Please note that the imported F18 key (22B3B81A) does not match the one from the web: The CHECKSUM file should have a good signature from one of the following keys: DE7F38BD - Fedora 18 1ACA3465 - Fedora 17 A82BA4B7 - Fedora 16 Also the next step fails: Now, verify that the CHECKSUM file is valid: $ gpg --verify-files Fedora-18-Alpha-x86_64-Live-CHECKSUM gpg: Signature made Fri 14 Sep 2012 05:08:03 PM CEST using RSA key ID DE7F38BD gpg: Can't check signature: public key not found I followed the "here" link in You can verify the details of the GPG key(s) here. https://fedoraproject.org/en/keys Section RPM-GPG-KEY-fedora-18-primary Download: Fedora Project points to https://fedoraproject.org/static/DE7F38BD.txt I imported the key by: $ curl https://fedoraproject.org/static/DE7F38BD.txt | gpg --import % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 1658 100 1658 0 0 1233 0 0:00:01 0:00:01 --:--:-- 1617 gpg: key DE7F38BD: public key "Fedora (18) <fedora>" imported gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1) The CHECKSUM file verification passed $ gpg --verify-files Fedora-18-Alpha-x86_64-Live-CHECKSUM gpg: Signature made Fri 14 Sep 2012 05:08:03 PM CEST using RSA key ID DE7F38BD gpg: Good signature from "Fedora (18) <fedora>" Primary key fingerprint: 7EFB 8811 DD11 E380 B679 FCED FF01 125C DE7F 38BD But I have two different F18 keys (22B3B81A and DE7F38BD) in the keyring now $ gpg --list-keys /home/user/.gnupg/pubring.gpg ------------------------------- pub 4096R/22B3B81A 2012-01-10 uid Fedora (18) <fedora> pub 4096R/34E166FA 2012-01-10 uid Fedora Secondary Arch (18) <fedora> sub 4096g/A6B6F62F 2012-01-10 pub 4096R/DE7F38BD 2012-08-06 uid Fedora (18) <fedora> It seems that something is out of order. Version-Release number of selected component (if applicable): N/A, Used up-to-date F17. How reproducible: Always Steps to Reproduce: see above Actual results: see above Expected results: The verification flow at https://fedoraproject.org/en/verify works - passes. Only one F18 key.
Thanks for the report. I could not actually grab the right public signatures, will update the websites ASAP.
Fixed in commit http://git.fedorahosted.org/cgit/fedora-web.git/commit/?h=f18-beta&id=7cc2d7f234fe67eff1516ebef5691b15923f95ca Please check in about an hour to have the next websites build finished. And let me know if something is wrong.