Hi, I would like to verify
AlmaLinux-9-latest-x86_64-Live-GNOME.iso
(I had to take modify / butcher the links below because the forum will not allow me to post more than 2 URLs)
On:
How to download and write images
/LiveMedia.html#how-to-download-and-write-images
This page does not explain how to verify.
I know that the verification steps for each ISO are included in the Release notes BUT I cannot find the Release notes for AlmaLinux-9-latest-x86_64-Live-GNOME.iso
So I tried the verification steps in Release notes for Almaliux 9:
/release-notes/9.0.html#installation-instructions
This page says:
Download and import the AlmaLinux public key:
$ wget /almalinux/RPM-GPG-KEY-AlmaLinux-9
$ gpg --import RPM-GPG-KEY-AlmaLinux-9
Download and verify a checksums list:
$ wget almalinux/9.0/isos/x86_64/CHECKSUM
we are looking for “Good signature”
$ gpg --verify CHECKSUM
gpg: Signature made Wed 25 May 2022 11:08:37 PM UTC
gpg: using RSA key D36CB86CB86B3716
gpg: Good signature from “AlmaLinux OS 9 packager@almalinux.org” [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: BF18 AC28 7617 8908 D6E7 1267 D36C B86C B86B 3716
Verify the downloaded ISO image checksum:
calculate the downloaded ISO SHA256 checksum
$ sha256sum AlmaLinux-9.0-x86_64-boot.iso
c41ce7bc2f4ab27a3597b3e160fc8b01c56a6b58e1046a4a23b8518fb9e9a61f AlmaLinux-9.0-x86_64-boot.iso
compare it with expected checksum, it should be the same
$ cat CHECKSUM | grep -E ‘SHA256.*AlmaLinux-9.0-x86_64-boot.iso’
SHA256 (AlmaLinux-9.0-1-x86_64-boot.iso) = c41ce7bc2f4ab27a3597b3e160fc8b01c56a6b58e1046a4a23b8518fb9e9a61f
When I do the above:
wget /almalinux/RPM-GPG-KEY-AlmaLinux-9
This works fine
gpg --import RPM-GPG-KEY-AlmaLinux-9
Works fine
gpg --verify CHECKSUM
I get:
gpg: no valid OpenPGP data found.
gpg: the signature could not be verified.
Please remember that the signature file (.sig or .asc)
should be the first file given on the command line.
Please help.