On 04/28/2016 02:29 PM, Albin Otterhäll wrote:
Apparently I wasn't clear enough. I'm using Arch Linux (i.e. I haven't access to the gpg key that comes with an installation) and would like to verify the ISO I've downloaded. To-do that I need the key used to sign the "sha256sum.txt.asc" file. I need to import the CentOS Release 7 (and maybe additional keys) from a keyserver or download the keyfile to be able do that. Regards, Albin _______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx https://lists.centos.org/mailman/listinfo/centos
Open up a browser and go to:
http://mirror.centos.org/centos-7/7/os/x86_64/
The GPG keys used to sign the RPM packages are in that directory. That may also be the key used to sign the checksum files. Here;s what I did on my system to check:
[jleafey@icarus temp]$ gpg --import RPM-GPG-KEY-CentOS-7 gpg: key F4A80EB5: public key "CentOS-7 Key (CentOS 7 Official Signing Key) <security@xxxxxxxxxx>" imported gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1) [jleafey@icarus temp]$ gpg --verify sha256sum.txt.asc gpg: Signature made Thu 10 Dec 2015 09:41:44 AM CST using RSA key ID F4A80EB5 gpg: Good signature from "CentOS-7 Key (CentOS 7 Official Signing Key) <security@xxxxxxxxxx>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 6341 AB27 53D7 8A78 A7C2 7BB1 24C6 A8A7 F4A8 0EB5 [jleafey@icarus temp]$
The bit that says "Good signature" seems to indicate that it was OK. Hope that answers your question! -- Jay Leafey - Memphis, TN jay.leafey@xxxxxxxxxxxx
_______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx https://lists.centos.org/mailman/listinfo/centos
