How to verify GPG key of a downloaded CentOS ISO and verify its checksum [Detailed]

This is a tutorial on how to check checksums of a CentOS image using GPG to verify the integrity of a downloaded CentOS ISO image.

1. Download the public key from the CentOS website

Open a terminal and create a directory where you need to download the ISO and the checksum file.

mkdir validate && cd validate/

Download the GPG public key from the official CentOS website. (You can find the full list of CentOS keys here. )

wget https://www.centos.org/keys/RPM-GPG-KEY-CentOS-Official

Below are the contents of the downloaded file which shows that this is a public key.

cat RPM-GPG-KEY-CentOS-Official
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2.0.22 (GNU/Linux)

mQINBFzMWxkBEADHrskpBgN9OphmhRkc7P/YrsAGSvvl7kfu+e9KAaU6f5MeAVyn
rIoM43syyGkgFyWgjZM8/rur7EMPY2yt+2q/1ZfLVCRn9856JqTIq0XRpDUe4nKQ
8BlA7wDVZoSDxUZkSuTIyExbDf0cpw89Tcf62Mxmi8jh74vRlPy1PgjWL5494b3X
5fxDidH4bqPZyxTBqPrUFuo+EfUVEqiGF94Ppq6ZUvrBGOVo1V1+Ifm9CGEK597c
aevcGc1RFlgxIgN84UpuDjPR9/zSndwJ7XsXYvZ6HXcKGagRKsfYDWGPkA5cOL/e
f+yObOnC43yPUvpggQ4KaNJ6+SMTZOKikM8yciyBwLqwrjo8FlJgkv8Vfag/2UR7
JINbyqHHoLUhQ2m6HXSwK4YjtwidF9EUkaBZWrrskYR3IRZLXlWqeOi/+ezYOW0m
vufrkcvsh+TKlVVnuwmEPjJ8mwUSpsLdfPJo1DHsd8FS03SCKPaXFdD7ePfEjiYk
nHpQaKE01aWVSLUiygn7F7rYemGqV9Vt7tBw5pz0vqSC72a5E3zFzIIuHx6aANry
Gat3aqU3qtBXOrA/dPkX9cWE+UR5wo/A2UdKJZLlGhM2WRJ3ltmGT48V9CeS6N9Y
m4CKdzvg7EWjlTlFrd/8WJ2KoqOE9leDPeXRPncubJfJ6LLIHyG09h9kKQARAQAB
tDpDZW50T1MgKENlbnRPUyBPZmZpY2lhbCBTaWduaW5nIEtleSkgPHNlY3VyaXR5
QGNlbnRvcy5vcmc+iQI3BBMBAgAhBQJczFsZAhsDBgsJCAcDAgYVCAIJCgsDFgIB
Ah4BAheAAAoJEAW1VbOEg8ZdjOsP/2ygSxH9jqffOU9SKyJDlraL2gIutqZ3B8pl
Gy/Qnb9QD1EJVb4ZxOEhcY2W9VJfIpnf3yBuAto7zvKe/G1nxH4Bt6WTJQCkUjcs
N3qPWsx1VslsAEz7bXGiHym6Ay4xF28bQ9XYIokIQXd0T2rD3/lNGxNtORZ2bKjD
vOzYzvh2idUIY1DgGWJ11gtHFIA9CvHcW+SMPEhkcKZJAO51ayFBqTSSpiorVwTq
a0cB+cgmCQOI4/MY+kIvzoexfG7xhkUqe0wxmph9RQQxlTbNQDCdaxSgwbF2T+gw
byaDvkS4xtR6Soj7BKjKAmcnf5fn4C5Or0KLUqMzBtDMbfQQihn62iZJN6ZZ/4dg
q4HTqyVpyuzMXsFpJ9L/FqH2DJ4exGGpBv00ba/Zauy7GsqOc5PnNBsYaHCply0X
407DRx51t9YwYI/ttValuehq9+gRJpOTTKp6AjZn/a5Yt3h6jDgpNfM/EyLFIY9z
V6CXqQQ/8JRvaik/JsGCf+eeLZOw4koIjZGEAg04iuyNTjhx0e/QHEVcYAqNLhXG
rCTTbCn3NSUO9qxEXC+K/1m1kaXoCGA0UWlVGZ1JSifbbMx0yxq/brpEZPUYm+32
o8XfbocBWljFUJ+6aljTvZ3LQLKTSPW7TFO+GXycAOmCGhlXh2tlc6iTc41PACqy
yy+mHmSv
=kkH7
-----END PGP PUBLIC KEY BLOCK-----

2. Check and verify the fingerprint of the downloaded public key.

Using gpg, check the fingerprint of the downloaded public key file using the following command:

gpg --dry-run --import --import-options import-show  ./RPM-GPG-KEY-CentOS-Official
pub   rsa4096 2019-05-03 [SC]
      99DB70FAE1D7CE227FB6488205B555B38483C65D
uid                      CentOS (CentOS Official Signing Key) <[email protected]>

gpg: Total number processed: 1

From the output, the fingerprint is 99DB70FAE1D7CE227FB6488205B555B38483C65D.

Now, we need to verify if the fingerprint matches the one documented in official CentOS page.

So, go to https://www.centos.org/keys/ and search for the above fingerprint.

 

verify fingerprint matches from centos official keys documentation page

[Note: You could split the fingerprint into blocks of four characters as shown below: 99DB 70FA E1D7 CE22 7FB6 4882 05B5 55B3 8483 C65D ]

If the fingerprint matches the one documented in the official CentOS key documentation page, then the public key is untampered and can be trusted.

[Note: If you are using a newer version of gpg, then you can use “gpg –quiet –with-fingerprint ./RPM-GPG-KEY-CentOS-Official“. I did not use the –with-fingerprint flag as the version of gpg installed in my machine does not show the fingerprints with the –with-fingerprint flag.]

3. Import the Public key to your GNUPG keyring

Now, import the downloaded key to your gnupg keyring.

gpg --import ./RPM-GPG-KEY-CentOS-Official
gpg: key 05B555B38483C65D: public key "CentOS (CentOS Official Signing Key) <[email protected]>" imported
gpg: Total number processed: 1
gpg:               imported: 1

The above shows that it processed and imported 1 key to you local store.

To list the keys currently in your gnupng keyring, you can use the following:

gpg --list-keys
/home/r3con/.gnupg/pubring.kbx
------------------------------
pub rsa4096 2019-05-03 [SC]
99DB70FAE1D7CE227FB6488205B555B38483C65D
uid [ unknown] CentOS (CentOS Official Signing Key) <[email protected]

4. Download the CentOS ISO image

Download the CentOS ISO file:

wget http://mirrors.piconets.webwerks.in/centos-mirror/8.1.1911/isos/x86_64/CentOS-8.1.1911-x86_64-dvd1.iso

5. Download the CHECKSUM.asc file and verify that it is not tampered with.

Once the download is complete, download the “CHECKSUM.asc” file from the CentOS website:

wget http://mirror.centos.org/centos/8/isos/x86_64/CHECKSUM.asc

If you read the contents of the CHECKSUMS.asc file, you will see that it contains a PGP signed message with the checksums for the CentOS ISO image.

cat CHECKSUM.asc
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

# CentOS-8.1.1911-x86_64-boot.iso: 625999872 bytes
SHA256 (CentOS-8.1.1911-x86_64-boot.iso) = 7fea13202bf2f26989df4175aace8fdc16e1137f7961c33512cbfad844008948
# CentOS-8.1.1911-x86_64-dvd1.iso: 7554990080 bytes
SHA256 (CentOS-8.1.1911-x86_64-dvd1.iso) = 3ee3f4ea1538e026fff763e2b284a6f20b259d91d1ad5688f5783a67d279423b
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBXh3OvAW1VbOEg8ZdAQihSxAArC0gfNTr0bWPOT/k40lTSoxgDF0qGn4+
d5j9noV3c0Xqd4Um/hxs7ha/qTg82DISYC8+5XHRvU3k156Mxh7dy4FoPopwItoc
lpMjnXwDYC/Iptp1XHiD2sun+z+omC2B+DcZergDwrrJzb7CZzxGr84Ztl6Wd54s
jCI3dQEsakQUEEuekr3mHtB1R4QHHaRwVwUJSzRQYLF3XiCq788IUaI2sf5kHXsg
BxWhzHsBCPG4/FC0ev9ujp5OP/j2FZq4S0cp1+53t/BauyGPOdbvQw71xKsHZQ3J
G9TNaFzlAqZJDKpz+XgjQ1V/7kKaFY3dCbxITxbOdSGAMh25cbWd2AamnCFuTzIq
vpWY8xWgx6kQ8aLI+VekOYYl4zZswmJBBogXDURCJTqRY6efkT8qhuWVS/obWjBL
L3uLL6w4ZkkatUZwglcj2+BhXefAGZgfBExI/xUHFzyXdB8Jv/YwYTTEsREZhf+T
8ggDOOznlUvrNz/atYKwNqAWbC2oY5UXL2OhDznm3lXwQPJG9vZ2Hx6UFpEuuBOR
m407o8rfosEbnHgxh9qQ2gnlk+m30VZqhr2dQnOibdY7YtHqk++5snr+yDmXKWDU
r08BLy0qGdI8CDxOS0DDb5MmIa5xc2c3w0Jt5q+H9tD7VAlg5uJBju0GwXSsiWHf
PlXTxMDETyY=
=TBYO
-----END PGP SIGNATURE-----

To verify that downloaded “CHECSUMS.asc” file is not tampered and is indeed from CentOS, use the –verify flag.

gpg --verify CHECKSUM.asc
gpg: Signature made Tue Jan 14 19:52:52 2020 IST
gpg: using RSA key 05B555B38483C65D
gpg: Good signature from "CentOS (CentOS Official Signing Key) <[email protected]>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 99DB 70FA E1D7 CE22 7FB6 4882 05B5 55B3 8483 C65D

The above outputs shows the the signature is good and CHECSUM.asc file is good and not tampered.

At this point, you should have the following files in the directory:

ls -l
total 7377932
-rwxrwxrwx 1 r3con r3con 1179 Jun 3 11:10 CHECKSUM.asc
-rwxrwxrwx 1 r3con r3con 7554990080 Jan 4 03:17 CentOS-8.1.1911-x86_64-dvd1.iso
-rwxrwxrwx 1 r3con r3con 1683 Sep 12 2019 RPM-GPG-KEY-CentOS-Official

6. Verifying the checksum of the downloaded image using the CHECKSUM.asc file.

To verify the checksums of the downloaded ISO image using the following command:

sha256sum -c CHECKSUM.asc 2>&1 | grep OK
CentOS-8.1.1911-x86_64-dvd1.iso: OK

succesfull sha256 checksum verification

This shows that the checksum matches and the downloaded ISO file is intact or not tampered with.

Hope this helps. Cheers

Source/Credits/References:

CentOS Documentation

GNUPG Fingerprint workaround