Following instructions from their site, in order to install Librewolf
You should accept any prompts wanting to import the GPG key with the fingerprint 034F7776EF5E0C613D2F7934D29FBD5F93C0CFC3.
This key can/have-to be imported from https://(rpm_or_deb).librewolf.net/pubkey.gpg
But, today’s update of Librewolf failed with
GPG key at https://rpm.librewolf.net/pubkey.gpg (0x93C0CFC3) is already installed
The GPG keys listed for the "LibreWolf Software Repository" repository are already installed but they are not correct for this package.
Check that the correct key URLs are configured for this repository.. Failing package is: librewolf-108.0.1-1.fc36.x86_64
GPG Keys are configured as: https://rpm.librewolf.net/pubkey.gpg
The downloaded packages were saved in cache until the next successful transaction.
You can remove cached packages by executing 'dnf clean packages'.
Error: GPG check FAILED
$ rpm -q gpg-pubkey --qf ‘%{NAME}-%{VERSION}-%{RELEASE}\t%{SUMMARY}\n’
indeed produced
gpg-pubkey-93c0cfc3-615c49c7 Malte Jürgens maltejur@dismail.de public key
but
$ sudo rpm -K /var/cache/dnf/repository-ef6682679cbcc4ee/packages/librewolf-108.0.1-1.fc36.x86_64.rpm
produced
/var/cache/dnf/repository-ef6682679cbcc4ee/packages/librewolf-108.0.1-1.fc36.x86_64.rpm: digests SIGNATURES NOT OK
After unsuccesfully researching error only to found that it could even mean MITM or repo take over, I finally found
After importing so called Librewolf Maintainers
key stated there, I got also
gpg-pubkey-2b12ef16-627f7187 LibreWolf Maintainers gpg@librewolf.net public key
And finally running checksig
$ sudo rpm --checksig /var/cache/dnf/repository-ef6682679cbcc4ee/packages/librewolf-108.0.1-1.fc36.x86_64.rpm
it produced
/var/cache/dnf/repository-ef6682679cbcc4ee/packages/librewolf-108.0.1-1.fc36.x86_64.rpm: digests signatures OK
I am still hesitant to install the update so could anyone at least confirm maintainers key above?