How to fully verify iso download


When I try and post my issue below, the forum site says:
Sorry, new users can only put 2 links in a post.

I am not trying to put any links in the post, but the links in the text below are recognized as such, so I have to try and edit the links so they are not links. I tried to quote things but that didnt help.
I am replacing https:// with lala- but this did not help either. Really frustrating when one cant ask a question because the site limits them.
Anyways I will try editing things until I can post…

As per:
[Verify checksum signature] - Another post in this forum whose link I had to chop out.

I would like to verify the iso.
But I am getting stuck.
So far what I have done is:

  • Download the iso file: Rocky-8.4-x86_64-dvd1.iso

  • Download the CHECKSUM file

  • Put them in a separate folder

  • Run:

> gpg2 --keyserver lala-// --locate-keys ''

Which gives me:

gpg: key AA650F52D6C094FA: public key “Core Infrastructure” imported
gpg: Total number processed: 1
gpg: imported: 1
pub ed25519 2021-05-17 [SC] [expires: 2023-05-17]
uid [ unknown] Core Infrastructure
sub cv25519 2021-05-17 [E] [expires: 2023-05-17]

The next step is not documented (I cant find this in the forum nor the Download instructions) but I thought it should be:

gpg --verify CHECKSUM

But this gives me the error:

gpg: no valid OpenPGP data found.
gpg: the signature could not be verified.
Please remember that the signature file (.sig or .asc)
should be the first file given on the command line.

What should be the next steps to completely verify a download?

Thanks ahead of time…

Hi, I was aware of that page and had followed the instructions.
This page does not include the step to verify the file using the signature.
This page only shows how to compare the sha256 checksum of the iso with the checksum provided in the CHECKSUM file.
IMHO I dont think this page’s section should be called " Verifying the Installer ISO File" since it does not verify the file using signature.
I, like the post [Verify checksum signature] - Another post in this forum whose link I had to chop out, think it is important to verify as well.
I am afraid to post links here but if you look at most distro’s verification instructions, including eg AlmaLinux, they show how to get a signature and verify.


Based on the above, this works for me:

gpg2 --keyserver lala-// --locate-keys ''
gpg2 --verify CHECKSUM.sig CHECKSUM
1 Like

Thanks very much for that.
I will try it out in the next day or so.

1 Like

@ tjdoyle, that worked great, thanks very much for your help.

1 Like