By default, yum and the graphical update tools will verify these signatures and refuse to install any packages that are not signed, or have an incorrect signature.You should always verify the signature of a package prior to installation.With the third beta of GPGMail for Sierra, we have managed to fix some more subtle bugs that unfortunately affected many of our users.
I copied it as-is and cited the answer and yourself down below.
Please feel free to answer this question exactly the same and I'll mark your answer right (I can't mark mine for a few days) Your trust is fine if you keep your 2048 as you can always confirm you are the true owner of BOTH keys but i know id love the impossible app where you just browse to your 2048 and it churns out a nice,new shiny 4096 equivalent and nobody is none the wiser.
If its to do with 'vending'...ahem, then id change the key to a new one and every person requesting proof can just send a 2048 encrypted message to the key they know and trust and request the vendor to reply with a group of numbers that the sender instructed the vendor to do on the trusted key.
" not changed gpg: Total number processed: 1 gpg: unchanged: 1 gpg: Signature made Fri Jul 3 2015 EEST using RSA key ID 4520AFA9 gpg: Good signature from "Atomicorp (Atomicorp Official Signing Key) " gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.