How to Verify you are Getting CentOS Linux Images, ISOs, or Packages

How CentOS Linux Makes Verification Possible

The CentOS Project has many donated mirrors (not controlled directly by the project) where you can download ISOs and updated packages. We provide several mechanisms to verify that packages and ISOs on those mirrors are unmodified.

ISOs and Images

Release Announcements

Any page where you can download a CentOS ISO or Cloud image also has a Release Notes link. If you visit the Release Notes page, you will see, on an https page controlled by centos.org the sha256sum values for specific ISO name. This tip tells you how to compare your downloaded ISO's sha256sum to the value from the Release Notes page on many different operating systems. This is by far the easiest way to verify the ISOs, so PLEASE look at the Release Notes or Release Announcement for the ISOs or Images to find the sha256sums.

ISO or Install Image Directories

If you can't find the specific release announcement for the ISO you have downloaded, the directory from which the ISO came will have a sha256sum.txt.asc file that you can use to verify the ISO. This procedure is a bit more complicated and we will go thru how to verify all parts of the process here. The provided sha256sum.txt.asc file is signed with the same key that the specific distribution uses for it's signed packages. I will go through the whole process for CentOS-7 and then explain the slight differences for other versions of CentOS. This procedure requires the linux gnupg package > 1.4 installed.

1. Verify the key used to sign the files

First create a validate directory (from the command line) with these commands:

mkdir validate

cd validate

The next thing to do is to verify the KEY used to sign the sha256sum file. You can find a list of keys and fingerprints here. In this example we will verify the CentOS-7 key .. it's name is RPM-GPG-KEY-CentOS-7.

On a CentOS-7 Machine

If you are testing on a CentOS-7 machine, this key is already installed at /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7. If you are on a CentOS-7 machine, you would verify the key with this command:

gpg --quiet --with-fingerprint /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7

The output would be this:

pub  4096R/F4A80EB5 2014-06-23 CentOS-7 Key (CentOS 7 Official Signing Key) <security@centos.org>
      Key fingerprint = 6341 AB27 53D7 8A78 A7C2  7BB1 24C6 A8A7 F4A8 0EB5

If the fingerprint matches the one from this list for the CentOS 7 Signing Key, you have the right key installed on your system.

Not on a CentOS 7 Machine

If you are not on a CentOS-7 system, but another version of Linux with at least gnupg 1.4, then you need to download the public part of the signing key, in this case the CentOS-7 key.

Now download a copy of the public key:

wget http://mirror.centos.org/centos/RPM-GPG-KEY-CentOS-7

Please note that even though this is not an https location, we will verify the fingerprint of key, so you know it is correct no matter where it came from

Now, we will check the key:

gpg --quiet --with-fingerprint ./RPM-GPG-KEY-CentOS-7

The output will be:

pub  4096R/F4A80EB5 2014-06-23 CentOS-7 Key (CentOS 7 Official Signing Key) <security@centos.org>
      Key fingerprint = 6341 AB27 53D7 8A78 A7C2  7BB1 24C6 A8A7 F4A8 0EB5

If the fingerprint matches the one from this list for the CentOS 7 Signing Key, you have downloaded the right key.

2. Import the Key

We now need to import the key into our keyring. We are working with either /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7 or ./RPM-GPG-KEY-CentOS-7.

gpg --import /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7

OR

gpg --import ./RPM-GPG-KEY-CentOS-7

Please note, you only have to do this step one time to get the key into your local keyring.

3. Download the ISO (or Image) file and the sha256sum.txt.asc files to validate

Once we know we have the valid public key to check the signed files, the next step of the process is to verify that the sha256sum files you want to use are valid. If you were getting the ISO file from here:

wget http://ftp.osuosl.org/pub/centos/7/isos/x86_64/CentOS-7-x86_64-DVD-1511.iso

Then once you got the ISO, you would also get the sha256sum.txt.asc file from the same place. In this particular case, from the following locations.

wget http://ftp.osuosl.org/pub/centos/7/isos/x86_64/sha256sum.txt.asc

Once you have the sha256sum.txt.asc file, you would verify it like this:

gpg --verify ./sha256sum.txt.asc

The output will look something like this:

gpg: Signature made Thu 10 Dec 2015 09:41:44 AM CST using RSA key ID F4A80EB5
gpg: Good signature from "CentOS-7 Key (CentOS 7 Official Signing Key) <security@centos.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 6341 AB27 53D7 8A78 A7C2  7BB1 24C6 A8A7 F4A8 0EB5

Please verify the Primary key fingerprint listed is the correct one from this list (we did that above, you can do it again if you prefer)

Once you have verified the signature of the sha256sum.txt.asc file, please make sure you have the ISO (or image file) and the sha256sum.txt.asc file in the same directory. You can then verify the ISO or image file with the following command:

sha256sum -c sha256sum.txt.asc 2>&1 | grep OK

The output in this example is:

CentOS-7-x86_64-DVD-1511.iso: OK

4. Other Locations

The only real difference for CentOS 6 ISOs is that the name of the key would be: RPM-GPG-KEY-CentOS-6

You would still use the sha256sum.txt.asc file from the directory where your ISO is located and still import the key once you verified it's Fingerprint.

If you are instead trying to verify a CentOS image from this directory:

CentOS 7 Cloud Images Steps still the same, use the sha256sum.txt.asc file from the directory where your ISO is located and still import the key (in this case, RPM-GPG-KEY-CentOS-7 for those cloud images) once you verified it's Fingerprint.

So the basic steps are

With those steps, you can always verify that your ISO or image is the one released by the CentOS Linux team. You can do this no matter where you got the public key or the image/iso file .. as it relies on gpg key signing.

Using signed CentOS-6 or CentOS-7 Metadata for Repositories Released by the CentOS Project

What is Signed Metadata for Repositories

Using signed metadata means that yum checks that there is a repomd.xml.asc signed by the key listed for that repository. This means that you know this information is what was released by the owner of that key.

Repositories Where Signed metadata is Provided

The CentOS Project provides signed repomd.xml.asc files for the following CentOS Repositories for CentOS-6 and CentOS-7:

For any of these 5 repositories, you can enable using signed metadata in CentOS-6 or CentOS-7.

The yum included in CentOS-5 does not properly support using signed metadata, so CentOS-5 does not have signed repositories.

How to Enable Using Signed Metadata

If you edit the applicable repository file, you will add the following line to the applicable repo section:

repo_gpgcheck=1

The updates, extras, and centosplus repo sections exist in the file /etc/yum.repos.d/CentOS-Base.repo

The cr repo section would be in file /etc/yum.repos.d/CentOS-CR.repo

The fasttrack repo would be in the file /etc/yum.repos.d/CentOS-fasttrack.repo

Here is an example of an updates repo section in CentOS-Base.repo with signed metadata turned on:

#released updates 
[updates]
name=CentOS-$releasever - Updates
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=updates
baseurl=http://mirror.centos.org/centos/$releasever/updates/$basearch/
gpgcheck=1
repo_gpgcheck=1
enabled=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-$releasever

Download/Verify (last edited 2016-07-29 05:18:18 by TimothyLee)