Verifying CentOS 7 Downloads

Support for security such as Firewalls and securing linux
Post Reply
zabbadgigante
Posts: 2
Joined: 2020/08/21 15:16:59

Verifying CentOS 7 Downloads

Post by zabbadgigante » 2020/08/21 15:41:21

Hi,

I am having trouble verifying CentOS 7 full DVD downloads from

http://isoredirect.centos.org/centos/7/isos/x86_64/

I have tried the following mirrors

http://mirror.linux.duke.edu/pub/centos ... os/x86_64/
http://packages.oit.ncsu.edu/centos/7.8 ... os/x86_64/
http://mirrors.seas.harvard.edu/centos/ ... os/x86_64/

When I attempt to verify the sha256sum.txt.asc with the sha256sum.txt file present with

gpg --verify sha256sum.txt.asc

I get the following message:

gpg: WARNING: not a detached signature; file 'sha256sum.txt' was NOT verified!

This message is not present when verifying CHECKSUM.asc for CentOS 8 from the Duke mirror.

So, it seems that I cannot download a CentOS 7 ISO that can be verified.

Is that correct? Or, did I miss something?

Thanks

User avatar
TrevorH
Forum Moderator
Posts: 29435
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Verifying CentOS 7 Downloads

Post by TrevorH » 2020/08/21 22:40:31

The content of the sha256sum.txt.asc has changed between 7 and 8 it seems.

In 7 it contains the sha256sum and the ascii armoured gpg sig to verify both at the same time. The process for using the 7 files is documented on https://wiki.centos.org/Download/Verify

On 8 the CHECKSUM.asc appears to contain the ascii armoured gpg sig to check that the CHECKSUM is correct. So on 8 it seems to be a two step process: first use CHECKSUM.asc to check that CHECKSUM hasn't been tampered with, the use CHECKSUM to check the sha256sum of the iso you're interested in.
CentOS 6 will die in November 2020 - migrate sooner rather than later!
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 is dead, do not use it.
Full time Geek, part time moderator. Use the FAQ Luke

zabbadgigante
Posts: 2
Joined: 2020/08/21 15:16:59

Re: Verifying CentOS 7 Downloads

Post by zabbadgigante » 2020/08/22 03:00:14

Thanks for looking into this--

I see now that the checksums are contained within a PGP signed message in the `sha256sum.txt.asc` file.

Moving the `sha256sum.txt` file out of the directory removed the warning from the output.

The checksum for the `.iso` is in the `.asc` file, so everything looks good.

Post Reply

Return to “CentOS 7 - Security Support”