My understanding is that the problem with the scenario you describe is that the F17 tool you use to download said file does not have signature-checking built into _it_, thus you cannot guarantee that a MITM attacker doesn't silently replace the download at some network node in between your machine and the Fedora server. Likely? Probably not.
In short, it's like an induction problem; since the very first version of the tool did not check sigs, the chain of trust cannot be "bootstrapped". The problem has become inserting the fixed/trustable tool somewhere into the insecure sequence.