CentOS 8のチェックサムファイルを確認する方法
CentOS 8 ISOのCHECKSUMファイルが本物であることを確認するにはどうすればよいですか?
チェックサムとキーをダウンロード:
$ wget https://www.centos.org/keys/RPM-GPG-KEY-CentOS-Official
$ wget http://www.gtlib.gatech.edu/pub/centos/8.0.1905/isos/x86_64/CHECKSUM
$ wget http://www.gtlib.gatech.edu/pub/centos/8.0.1905/isos/x86_64/CHECKSUM.asc
キーを確認:
$ gpg RPM-GPG-KEY-CentOS-Official
gpg: WARNING: no command supplied. Trying to guess what you mean ...
pub rsa4096 2019-05-03 [SC]
99DB70FAE1D7CE227FB6488205B555B38483C65D
uid CentOS (CentOS Official Signing Key) <[email protected]>
Assert that the fingerprint matches https://www.centos.org/keys/
インポートキー:
$ gpg --import RPM-GPG-KEY-CentOS-Official
gpg: key 05B555B38483C65D: public key "CentOS (CentOS Official Signing Key) <[email protected]>" imported
gpg: Total number processed: 1
gpg: imported: 1
CHECKSUMファイルを確認できません:
$ gpg --verify CHECKSUM.asc
gpg: Signature made Mon 23 Sep 2019 07:24:37 AM EDT
gpg: using RSA key 05B555B38483C65D
gpg: Good signature from "CentOS (CentOS Official Signing Key) <[email protected]>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 99DB 70FA E1D7 CE22 7FB6 4882 05B5 55B3 8483 C65D
gpg: WARNING: not a detached signature; file 'CHECKSUM' was NOT verified!
それは言う:
gpg: WARNING: not a detached signature; file 'CHECKSUM' was NOT verified!
CHECKSUMとCHECKSUM.ascの両方は必要ありません。後者はCHECKSUMのGPG署名バージョンです。 GPGは、somefilenameとsomefilename.ascがある場合、.ascファイルは分離された署名であると想定しているため、混乱しています。
ファイルCHECKSUMを削除すると、gpg --verify CHECKSUM.ascを実行して取得できます。
gpg: Signature made Mon 23 Sep 2019 07:24:37 AM EDT
gpg: using RSA key 0x05B555B38483C65D
gpg: Good signature from "CentOS (CentOS Official Signing Key) <[email protected]>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 99DB 70FA E1D7 CE22 7FB6 4882 05B5 55B3 8483 C65D