How to Verify you are Getting CentOS Linux Images, ISOs, or Packages
Contents
1. How CentOS Linux Makes Verification Possible
The CentOS Project has many donated mirrors (not controlled directly by the project) where you can download ISOs and updated packages. We provide several mechanisms to verify that packages and ISOs on those mirrors are unmodified.
2. ISOs and Images
2.1. Release Announcements
Any page where you can download a CentOS ISO or Cloud image also has a Release Notes link. If you visit the Release Notes page, you will see, on an https page controlled by centos.org the sha256sum values for specific ISO name. This tip tells you how to compare your downloaded ISO's sha256sum to the value from the Release Notes page on many different operating systems. This is by far the easiest way to verify the ISOs, so PLEASE look at the Release Notes or Release Announcement for the ISOs or Images to find the sha256sums.
2.2. ISO or Install Image Directories
If you can't find the specific release announcement for the ISO you have downloaded, the directory from which the ISO came will have a sha256sum.txt.asc file that you can use to verify the ISO. This procedure is a bit more complicated and we will go thru how to verify all parts of the process here. The provided sha256sum.txt.asc file is signed with the same key that the specific distribution uses for it's signed packages. I will go through the whole process for CentOS-7 and then explain the slight differences for other versions of CentOS. This procedure requires the linux gnupg package > 1.4 installed.
2.2.1. 1. Verify the key used to sign the files
First create a validate directory (from the command line) with these commands:
mkdir validate cd validate
The next thing to do is to verify the KEY used to sign the sha256sum file. You can find a list of keys and fingerprints here. In this example we will verify the CentOS-7 key .. it's name is RPM-GPG-KEY-CentOS-7.
2.2.1.1. On a CentOS-7 Machine
If you are testing on a CentOS-7 machine, this key is already installed at /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7. If you are on a CentOS-7 machine, you would verify the key with this command:
gpg --quiet --with-fingerprint /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
The output would be this:
pub 4096R/F4A80EB5 2014-06-23 CentOS-7 Key (CentOS 7 Official Signing Key) <security@centos.org>
Key fingerprint = 6341 AB27 53D7 8A78 A7C2 7BB1 24C6 A8A7 F4A8 0EB5If the fingerprint matches the one from this list for the CentOS 7 Signing Key, you have the right key installed on your system.
2.2.1.2. Not on a CentOS 7 Machine
If you are not on a CentOS-7 system, but another version of Linux with at least gnupg 1.4, then you need to download the public part of the signing key, in this case the CentOS-7 key.
Now download a copy of the public key:
wget http://mirror.centos.org/centos/RPM-GPG-KEY-CentOS-7
|
Please note that even though this is not an https location, we will verify the fingerprint of key, so you know it is correct no matter where it came from |
|
WikiDesign/icon-admonition-idea.png "ArtWork/WikiDesign/icon-admonition-idea.png"){kind=icon}
Now, we will check the key:
gpg --quiet --with-fingerprint ./RPM-GPG-KEY-CentOS-7
The output will be:
pub 4096R/F4A80EB5 2014-06-23 CentOS-7 Key (CentOS 7 Official Signing Key) <security@centos.org>
Key fingerprint = 6341 AB27 53D7 8A78 A7C2 7BB1 24C6 A8A7 F4A8 0EB5If the fingerprint matches the one from this list for the CentOS 7 Signing Key, you have downloaded the right key.
2.2.2. 2. Import the Key
We now need to import the key into our keyring. We are working with either /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7 or ./RPM-GPG-KEY-CentOS-7.
gpg --import /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
OR
gpg --import ./RPM-GPG-KEY-CentOS-7
Please note, you only have to do this step one time to get the key into your local keyring.
2.2.3. 3. Download the ISO (or Image) file and the sha256sum.txt.asc files to validate
Once we know we have the valid public key to check the signed files, the next step of the process is to verify that the sha256sum files you want to use are valid. If you were getting the ISO file from here:
wget http://ftp.osuosl.org/pub/centos/7/isos/x86_64/CentOS-7-x86_64-DVD-1511.iso
Then once you got the ISO, you would also get the sha256sum.txt.asc file from the same place. In this particular case, from the following locations.
wget http://ftp.osuosl.org/pub/centos/7/isos/x86_64/sha256sum.txt.asc
Once you have the sha256sum.txt.asc file, you would verify it like this:
gpg --verify ./sha256sum.txt.asc
The output will look something like this:
gpg: Signature made Thu 10 Dec 2015 09:41:44 AM CST using RSA key ID F4A80EB5 gpg: Good signature from "CentOS-7 Key (CentOS 7 Official Signing Key) <security@centos.org>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 6341 AB27 53D7 8A78 A7C2 7BB1 24C6 A8A7 F4A8 0EB5
|
Please verify the Primary key fingerprint listed is the correct one from this list (we did that above, you can do it again if you prefer) |
|
Once you have verified the signature of the sha256sum.txt.asc file, please make sure you have the ISO (or image file) and the sha256sum.txt.asc file in the same directory. You can then verify the ISO or image file with the following command:
sha256sum -c sha256sum.txt.asc 2>&1 | grep OK
The output in this example is:
CentOS-7-x86_64-DVD-1511.iso: OK
2.2.4. 4. Other Locations
The only real difference for CentOS 6 ISOs is that the name of the key would be: RPM-GPG-KEY-CentOS-6
You would still use the sha256sum.txt.asc file from the directory where your ISO is located and still import the key once you verified it's Fingerprint.
If you are instead trying to verify a CentOS image from this directory:
CentOS 7 Cloud Images Steps still the same, use the sha256sum.txt.asc file from the directory where your ISO is located and still import the key (in this case, RPM-GPG-KEY-CentOS-7 for those cloud images) once you verified it's Fingerprint.
So the basic steps are
- Verify a Key
- Import that key
- grab the image or iso file
- grab the sha256sum.txt.asc file from the same directory as the iso or image file
- verify the sha256sum.txt.asc signature
- verify the iso or image from the sha256sum.txt.asc file
With those steps, you can always verify that your ISO or image is the one released by the CentOS Linux team. You can do this no matter where you got the public key or the image/iso file .. as it relies on gpg key signing.
3. Using signed CentOS-6 or CentOS-7 Metadata for Repositories Released by the CentOS Project
3.1. What is Signed Metadata for Repositories
Using signed metadata means that yum checks that there is a repomd.xml.asc signed by the key listed for that repository. This means that you know this information is what was released by the owner of that key.
3.2. Repositories Where Signed metadata is Provided
The CentOS Project provides signed repomd.xml.asc files for the following CentOS Repositories for CentOS-6 and CentOS-7:
- extras
- cr
- centosplus
- fasttrack
- updates
For any of these 5 repositories, you can enable using signed metadata in CentOS-6 or CentOS-7.
The yum included in CentOS-5 does not properly support using signed metadata, so CentOS-5 does not have signed repositories.
3.3. How to Enable Using Signed Metadata
If you edit the applicable repository file, you will add the following line to the applicable repo section:
repo_gpgcheck=1
The updates, extras, and centosplus repo sections exist in the file /etc/yum.repos.d/CentOS-Base.repo
The cr repo section would be in file /etc/yum.repos.d/CentOS-CR.repo
The fasttrack repo would be in the file /etc/yum.repos.d/CentOS-fasttrack.repo
Here is an example of an updates repo section in CentOS-Base.repo with signed metadata turned on:
#released updates [updates] name=CentOS-$releasever - Updates #mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=updates baseurl=http://mirror.centos.org/centos/$releasever/updates/$basearch/ gpgcheck=1 repo_gpgcheck=1 enabled=1 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-$releasever