CHECKSUM and Verify Instructions
Once you have downloaded an image, verify it for security and integrity. To verify your image, start by downloading the proper CHECKSUM file into the same directory as the image you downloaded.
Next, import Fedora's GPG key(s):
$ curl -O https://fedoraproject.org/fedora.gpg
You can verify the details of the GPG key(s) here.
Now, verify that the CHECKSUM file is valid:
$ gpgv --keyring ./fedora.gpg *-CHECKSUM
The CHECKSUM file should have a good signature from one of the following keys:
6A51BBABBA3D5467B6171221809A8D7CEB10B464- Fedora 38
ACB5EE4E831C74BB7C168D27F55AD3FB5323552A- Fedora 37
53DED2CB922D8B8D9E63FD18999F7CBF38AB71F4- Fedora 36
Finally, now that the CHECKSUM file has been verified, check that the image's checksum matches:
$ sha256sum -c *-CHECKSUM --ignore-missing
If the output states that the file is valid, then it's ready to use!