[CentOS] Where can I find the CentOS gpg keys?

Thu Apr 28 23:02:20 UTC 2016
Leon Fauster <leonfauster at googlemail.com>

Am 28.04.2016 um 21:29 schrieb Albin Otterhäll <gmane at otterhall.com>:
> On 2016-04-28 21:08, Andreas Benzler wrote:
>> repository gpg can be found in
>> /etc/pki/rpm-gpg/
>> 
>> read the repo file(s) in
>> 
>> /etc/yum.repos.d/
>> 
>> cat /etc/yum.repos.d/CentOS-Base.repo 
>> # CentOS-Base.repo
>> #
>> # The mirror system uses the connecting IP address of the client and the
>> # update status of each mirror to pick mirrors that are updated to and
>> # geographically close to the client.  You should use this for CentOS
>> updates
>> # unless you are manually picking other mirrors.
>> #
>> # If the mirrorlist= does not work for you, as a fall back you can try
>> the 
>> # remarked out baseurl= line instead.
>> #
>> #
>> 
>> [base]
>> name=CentOS-$releasever - Base
>> mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=
>> $basearch&repo=os&infra=$infra
>> #baseurl=http://mirror.centos.org/centos/$releasever/os/$basearch/
>> gpgcheck=1
>> gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
> 
> Apparently I wasn't clear enough. I'm using Arch Linux (i.e. I haven't
> access to the gpg key that comes with an installation) and would like to
> verify the ISO I've downloaded. To-do that I need the key used to sign
> the "sha256sum.txt.asc" file.
> 
> I need to import the CentOS Release 7 (and maybe additional keys) from a
> keyserver or download the keyfile to be able do that.



if the mirror is compromised, you should use a different source:

https://pgp.mit.edu/pks/lookup?search=centos.org


--
LF