Next, import Fedora's GPG key(s):
$ curl https://getfedora.org/static/fedora.gpg | gpg --import
You can verify the details of the GPG key(s) here.
Now, verify that the CHECKSUM file is valid:
$ gpg --verify-files *-CHECKSUM
The CHECKSUM file should have a good signature from one of the following keys:
9DB62FB1 - Fedora 28
F5282EE4 - Fedora 27
64DAB85D - Fedora 26
3B921D09 - Fedora 26 secondary arches (AArch64, PPC64, PPC64le, s390 and s390x)
FDB19C98 - Fedora 25
E372E838 - Fedora 25 secondary arches (AArch64, PPC64, PPC64le, s390 and s390x)
Finally, now that the CHECKSUM file has been verified, check that the image's checksum matches:
$ sha256sum -c *-CHECKSUM
If the output states that the file is valid, then it's ready to use!
How do I verify my downloaded image on another operating system?
Read these instructions to validate your image.