Verifying CentOS 7 Downloads

[zabbadgigante]

Hi,

I am having trouble verifying CentOS 7 full DVD downloads from

http://isoredirect.centos.org/centos/7/isos/x86_64/

I have tried the following mirrors

http://mirror.linux.duke.edu/pub/centos ... os/x86_64/
http://packages.oit.ncsu.edu/centos/7.8 ... os/x86_64/
http://mirrors.seas.harvard.edu/centos/ ... os/x86_64/

When I attempt to verify the sha256sum.txt.asc with the sha256sum.txt file present with

gpg --verify sha256sum.txt.asc

I get the following message:

gpg: WARNING: not a detached signature; file 'sha256sum.txt' was NOT verified!

This message is not present when verifying CHECKSUM.asc for CentOS 8 from the Duke mirror.

So, it seems that I cannot download a CentOS 7 ISO that can be verified.

Is that correct? Or, did I miss something?

Thanks

[TrevorH]

The content of the sha256sum.txt.asc has changed between 7 and 8 it seems.

In 7 it contains the sha256sum and the ascii armoured gpg sig to verify both at the same time. The process for using the 7 files is documented on https://wiki.centos.org/Download/Verify

On 8 the CHECKSUM.asc appears to contain the ascii armoured gpg sig to check that the CHECKSUM is correct. So on 8 it seems to be a two step process: first use CHECKSUM.asc to check that CHECKSUM hasn't been tampered with, the use CHECKSUM to check the sha256sum of the iso you're interested in.

[zabbadgigante]

Thanks for looking into this--

I see now that the checksums are contained within a PGP signed message in the `sha256sum.txt.asc` file.

Moving the `sha256sum.txt` file out of the directory removed the warning from the output.

The checksum for the `.iso` is in the `.asc` file, so everything looks good.