[CentOS] Where can I find the CentOS gpg keys?

Thu Apr 28 19:45:19 UTC 2016
Jay Leafey <jay.leafey at mindless.com>

On 04/28/2016 02:29 PM, Albin Otterhäll wrote:
>
> Apparently I wasn't clear enough. I'm using Arch Linux (i.e. I haven't
> access to the gpg key that comes with an installation) and would like to
> verify the ISO I've downloaded. To-do that I need the key used to sign
> the "sha256sum.txt.asc" file.
>
> I need to import the CentOS Release 7 (and maybe additional keys) from a
> keyserver or download the keyfile to be able do that.
>
> Regards,
> Albin
>
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos
>

Open up a browser and go to:

> http://mirror.centos.org/centos-7/7/os/x86_64/

The GPG keys used to sign the RPM packages are in that directory.  That 
may also be the key used to sign the checksum files.  Here;s what I did 
on my system to check:

> [jleafey at icarus temp]$ gpg --import RPM-GPG-KEY-CentOS-7
> gpg: key F4A80EB5: public key "CentOS-7 Key (CentOS 7 Official Signing Key) <security at centos.org>" imported
> gpg: Total number processed: 1
> gpg:               imported: 1  (RSA: 1)
> [jleafey at icarus temp]$ gpg --verify sha256sum.txt.asc
> gpg: Signature made Thu 10 Dec 2015 09:41:44 AM CST using RSA key ID F4A80EB5
> gpg: Good signature from "CentOS-7 Key (CentOS 7 Official Signing Key) <security at centos.org>"
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg:          There is no indication that the signature belongs to the owner.
> Primary key fingerprint: 6341 AB27 53D7 8A78 A7C2  7BB1 24C6 A8A7 F4A8 0EB5
> [jleafey at icarus temp]$

The bit that says "Good signature" seems to indicate that it was OK.

Hope that answers your question!
-- 
Jay Leafey - Memphis, TN
jay.leafey at mindless.com