Am 28.04.2016 um 21:29 schrieb Albin Otterhäll <gmane at otterhall.com>: > On 2016-04-28 21:08, Andreas Benzler wrote: >> repository gpg can be found in >> /etc/pki/rpm-gpg/ >> >> read the repo file(s) in >> >> /etc/yum.repos.d/ >> >> cat /etc/yum.repos.d/CentOS-Base.repo >> # CentOS-Base.repo >> # >> # The mirror system uses the connecting IP address of the client and the >> # update status of each mirror to pick mirrors that are updated to and >> # geographically close to the client. You should use this for CentOS >> updates >> # unless you are manually picking other mirrors. >> # >> # If the mirrorlist= does not work for you, as a fall back you can try >> the >> # remarked out baseurl= line instead. >> # >> # >> >> [base] >> name=CentOS-$releasever - Base >> mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch= >> $basearch&repo=os&infra=$infra >> #baseurl=http://mirror.centos.org/centos/$releasever/os/$basearch/ >> gpgcheck=1 >> gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7 > > Apparently I wasn't clear enough. I'm using Arch Linux (i.e. I haven't > access to the gpg key that comes with an installation) and would like to > verify the ISO I've downloaded. To-do that I need the key used to sign > the "sha256sum.txt.asc" file. > > I need to import the CentOS Release 7 (and maybe additional keys) from a > keyserver or download the keyfile to be able do that. if the mirror is compromised, you should use a different source: https://pgp.mit.edu/pks/lookup?search=centos.org -- LF