the documentation says:

--assert-signer fpr_or_file

This option checks whether at least one valid signature on a file has been made with the specified key. The key is either specified as a fingerprint or a file listing fingerprints. The fingerprint must be given or listed in compact format (no colons or spaces in between). This option can be given multiple times and each fingerprint is checked against the signing key as well as the corresponding primary key. If fpr_or_file specifies a file, empty lines are ignored as well as all lines starting with a hash sign. With this option gpg is guaranteed to return with an exit code of 0 if and only if a signature has been encountered, is valid, and the key matches one of the fingerprints given by this option.

However, it's possible to craft a file listing fingerprints that is also named with a fingerprint. For example:

echo 1234567890123456789012345678901234567890 > deadbeefdeadbeefdeadbeefdeadbeefdeadbeef
gpg --verify --assert-signer deadbeefdeadbeefdeadbeefdeadbeefdeadbeef message.txt

Will this require that the signer is the 123... key or the deadbeef... key? Looking at the source, it looks like it'll be the deadbeef… key. but if the file name happened to be changed, to something that is neither 40 or 64 hex digits, then it would be the 123… key. Does the user of gpg need to be careful about the name selected for the file with a listing of fingerprints?