diff --git a/bin/flatcar-install b/bin/flatcar-install
index 5a740be..b56169c 100755
--- a/bin/flatcar-install
+++ b/bin/flatcar-install
@@ -127,7 +127,7 @@ Flatcar Container Linux on a machine then use this tool to make a permanent inst
 # sub   rsa4096/FCBEAB91 2020-08-28 [S] [expires: 2021-08-28]
 # sub   rsa4096/250D4A42 2021-08-10 [S] [expires: 2022-08-10]
 # sub   rsa4096/267EC954 2022-08-11 [S] [expires: 2023-08-11]
-GPG_LONG_ID="E25D9AED0593B34A"
+GPG_LONG_ID="F88CFEDEFF29A5B4D9523864E25D9AED0593B34A"
 GPG_KEY="-----BEGIN PGP PUBLIC KEY BLOCK-----
 
 mQINBFqUFawBEACdnSVBBSx3negnGv7Ppf2D6fbIQAHSzUQ+BA5zEG02BS6EKbJh
@@ -668,6 +668,11 @@ function prep_url(){
     mkdir -p "${GNUPGHOME}"
     if [ -n "${KEYFILE}" ]; then
         gpg --batch --quiet --import < "${KEYFILE}"
+
+        # --assert-signer needs the long key ID. We have no way of looking up
+        # the key we just imported, but we can get the ID from the original
+        # file. --with-colons provides a stable interface for parsing.
+        GPG_LONG_ID=$(gpg --show-key --with-colons "${KEYFILE}" | grep -m1 "^fpr:" | cut -d: -f10)
     else
         gpg --batch --quiet --import <<< "${GPG_KEY}"
     fi
@@ -686,7 +691,7 @@ function download_from_url(){
         exit 1
     fi
 
-    if ! gpg --batch --trusted-key "${GPG_LONG_ID}" --verify "${WORKDIR}/${SIG_NAME}" "${PWD}/${IMAGE_NAME}"; then
+    if ! gpg --batch --assert-signer "${GPG_LONG_ID}" --verify "${WORKDIR}/${SIG_NAME}" "${PWD}/${IMAGE_NAME}"; then
         echo "Could not verify ${IMAGE_NAME}." >&2
         exit 1
     fi
@@ -697,7 +702,7 @@ function install_from_url() {
     echo "Downloading, writing and verifying ${IMAGE_NAME}..."
     if ! wget ${WGET_ARGS} --no-verbose -O - "${IMAGE_URL}" \
         | tee >(${BZIP_UTIL} -cd >&3) \
-        | gpg --batch --trusted-key "${GPG_LONG_ID}" \
+        | gpg --batch --assert-signer "${GPG_LONG_ID}" \
             --verify "${WORKDIR}/${SIG_NAME}" -
     then
         local EEND=( "${PIPESTATUS[@]}" )