Hi!
I'm currently using a non-CentOS system, and wondering where I can find the GPG keys so I can verify the checksum file?
The page on the website (https://www.centos.org/keys/) only give information where I can find them on an already installed system.
Regards, Albin
repository gpg can be found in /etc/pki/rpm-gpg/
read the repo file(s) in
/etc/yum.repos.d/
cat /etc/yum.repos.d/CentOS-Base.repo # CentOS-Base.repo # # The mirror system uses the connecting IP address of the client and the # update status of each mirror to pick mirrors that are updated to and # geographically close to the client. You should use this for CentOS updates # unless you are manually picking other mirrors. # # If the mirrorlist= does not work for you, as a fall back you can try the # remarked out baseurl= line instead. # #
[base] name=CentOS-$releasever - Base mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch= $basearch&repo=os&infra=$infra #baseurl=http://mirror.centos.org/centos/$releasever/os/$basearch/ gpgcheck=1 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Am Donnerstag, den 28.04.2016, 20:50 +0200 schrieb Albin Otterhäll:
Hi!
I'm currently using a non-CentOS system, and wondering where I can find the GPG keys so I can verify the checksum file?
The page on the website (https://www.centos.org/keys/) only give information where I can find them on an already installed system.
Regards, Albin
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
On 2016-04-28 21:08, Andreas Benzler wrote:
repository gpg can be found in /etc/pki/rpm-gpg/
read the repo file(s) in
/etc/yum.repos.d/
cat /etc/yum.repos.d/CentOS-Base.repo # CentOS-Base.repo # # The mirror system uses the connecting IP address of the client and the # update status of each mirror to pick mirrors that are updated to and # geographically close to the client. You should use this for CentOS updates # unless you are manually picking other mirrors. # # If the mirrorlist= does not work for you, as a fall back you can try the # remarked out baseurl= line instead. # #
[base] name=CentOS-$releasever - Base mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch= $basearch&repo=os&infra=$infra #baseurl=http://mirror.centos.org/centos/$releasever/os/$basearch/ gpgcheck=1 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
Apparently I wasn't clear enough. I'm using Arch Linux (i.e. I haven't access to the gpg key that comes with an installation) and would like to verify the ISO I've downloaded. To-do that I need the key used to sign the "sha256sum.txt.asc" file.
I need to import the CentOS Release 7 (and maybe additional keys) from a keyserver or download the keyfile to be able do that.
Regards, Albin
On 04/28/2016 02:29 PM, Albin Otterhäll wrote:
Apparently I wasn't clear enough. I'm using Arch Linux (i.e. I haven't access to the gpg key that comes with an installation) and would like to verify the ISO I've downloaded. To-do that I need the key used to sign the "sha256sum.txt.asc" file.
I need to import the CentOS Release 7 (and maybe additional keys) from a keyserver or download the keyfile to be able do that.
Regards, Albin
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Open up a browser and go to:
The GPG keys used to sign the RPM packages are in that directory. That may also be the key used to sign the checksum files. Here;s what I did on my system to check:
[jleafey@icarus temp]$ gpg --import RPM-GPG-KEY-CentOS-7 gpg: key F4A80EB5: public key "CentOS-7 Key (CentOS 7 Official Signing Key) security@centos.org" imported gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1) [jleafey@icarus temp]$ gpg --verify sha256sum.txt.asc gpg: Signature made Thu 10 Dec 2015 09:41:44 AM CST using RSA key ID F4A80EB5 gpg: Good signature from "CentOS-7 Key (CentOS 7 Official Signing Key) security@centos.org" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 6341 AB27 53D7 8A78 A7C2 7BB1 24C6 A8A7 F4A8 0EB5 [jleafey@icarus temp]$
The bit that says "Good signature" seems to indicate that it was OK.
Hope that answers your question!
Am 28.04.2016 um 21:29 schrieb Albin Otterhäll gmane@otterhall.com:
On 2016-04-28 21:08, Andreas Benzler wrote:
repository gpg can be found in /etc/pki/rpm-gpg/
read the repo file(s) in
/etc/yum.repos.d/
cat /etc/yum.repos.d/CentOS-Base.repo # CentOS-Base.repo # # The mirror system uses the connecting IP address of the client and the # update status of each mirror to pick mirrors that are updated to and # geographically close to the client. You should use this for CentOS updates # unless you are manually picking other mirrors. # # If the mirrorlist= does not work for you, as a fall back you can try the # remarked out baseurl= line instead. # #
[base] name=CentOS-$releasever - Base mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch= $basearch&repo=os&infra=$infra #baseurl=http://mirror.centos.org/centos/$releasever/os/$basearch/ gpgcheck=1 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
Apparently I wasn't clear enough. I'm using Arch Linux (i.e. I haven't access to the gpg key that comes with an installation) and would like to verify the ISO I've downloaded. To-do that I need the key used to sign the "sha256sum.txt.asc" file.
I need to import the CentOS Release 7 (and maybe additional keys) from a keyserver or download the keyfile to be able do that.
if the mirror is compromised, you should use a different source:
https://pgp.mit.edu/pks/lookup?search=centos.org
-- LF
On 04/28/2016 11:50 AM, Albin Otterhäll wrote:
Hi!
I'm currently using a non-CentOS system, and wondering where I can find the GPG keys so I can verify the checksum file?
The page on the website (https://www.centos.org/keys/) only give information where I can find them on an already installed system.
Regards, Albin
You can find the keys in the top directory of any centos mirror e.g. http://mirror.centos.org/centos/
On 2016-04-28 21:24, Thomas Eriksson wrote:
On 04/28/2016 11:50 AM, Albin Otterhäll wrote:
Hi!
I'm currently using a non-CentOS system, and wondering where I can find the GPG keys so I can verify the checksum file?
The page on the website (https://www.centos.org/keys/) only give information where I can find them on an already installed system.
Regards, Albin
You can find the keys in the top directory of any centos mirror e.g. http://mirror.centos.org/centos/
Thank for helping me out!
-
Albin Otterhäll -
Andreas Benzler -
Jay Leafey -
Leon Fauster -
Thomas Eriksson