I believe that both of the following are authentic Google Linux package signing keys:
pub dsa1024 2007-03-08 [SC]
4CCA 1EAF 950C EE4A B839 76DC A040 830F 7FAC 5991
uid [ unknown] Google, Inc. Linux Package Signing Key <linux-packages-keymaster@google.com>
sub elg2048 2007-03-08 [E]
pub rsa4096 2016-04-12 [SC]
EB4C 1BFD 4F04 2F6D DDCC EC91 7721 F63B D38B 4796
uid [ unknown] Google Inc. (Linux Packages Signing Authority) <linux-packages-keymaster@google.com>
sub rsa4096 2021-10-26 [S] [expires: 2024-10-25]
sub rsa4096 2023-02-15 [S] [expires: 2026-02-14]
The 4EB27DB2A3B88B8B
key under discussion is a subkey of the second one:
pub rsa4096/7721F63BD38B4796
created: 2016-04-12 expires: never usage: SC
sub rsa4096/1397BC53640DB551
created: 2016-04-12 expired: 2019-04-12 usage: S
sub rsa4096/6494C6D6997C215E
created: 2017-01-24 expired: 2020-01-24 usage: S
sub rsa4096/78BD65473CB3BD13
created: 2019-07-22 expired: 2022-07-21 usage: S
sub rsa4096/4EB27DB2A3B88B8B
created: 2021-10-26 expires: 2024-10-25 usage: S
sub rsa4096/E88979FB9B30ACF2
created: 2023-02-15 expires: 2026-02-14 usage: S
For what it’s worth, Google’s website also lists both of these keys:
https://www.google.com/linuxrepositories/
(Of course, I’m not suggesting that this page alone is definitive, but it’s another data point. You can gather additional data points by checking this page via Tor, VPNs, Internet cafe Wi-Fi, from different computers, etc. You can check with other users to see if the same key(s) are present in their systems at /etc/apt/trusted.gpg.d/google-chrome.gpg
(or other distro equivalent). You can use the Web of Trust. And so on.)
Why two keys? Only Google knows, but if I had to guess, it’s probably because dsa1024 is outdated and less secure nowadays but has to be kept around (for now) for legacy support reasons.
In my Debian templates, I’ve been exclusively using the rsa4096 key for a while now without any problems. I seem to recall that I had to “separate” it from the dsa1024 key (at @Demi’s recommendation) by exporting just the rsa4096 key, so maybe they used to ship both keys in a single file or something. It’s been too long; can’t remember. But if that’s what happened, and they now ship the two keys separately, then I don’t know why they’d choose to have https://dl.google.com/linux/linux_signing_key.pub point only to the dsa1024
key, or why they’d only have one key download link instead of two. An oversight?
I also don’t know what the situation is with Fedora, as I haven’t used it in a while. It’s possible that Google recently decided to start signing Fedora packages with the rsa4096 key (which, again, they’ve already been doing on Debian for a while now), but that’s just a guess.
It’s puzzling that this worked for you, since it would seem that you imported a key that lacks the subkey used to sign the package, unless DNF somehow automatically updated/added/replaced the key (i.e., so you somehow got the newer rsa4096 key with the subkey used to sign the package) after you performed this manual import.
Also, it raises the question of which key you had before.