How to verify 9.0 iso

Hi,

In the past, to verify eg the 8.5 ISO, I went to
https://download.rockylinux.org/pub/rocky/8.5/isos/x86_64/
and downloaded:

  • The ISO
  • CHECKSUM file
  • CHECKSUM.sig file

In:
https://download.rockylinux.org/pub/rocky/9.0/isos/x86_64/

I dont see a CHECKSUM.sig file.

What would be the procedure for verifying the 9.0 ISO?

Is the key required to verify the 9.0 ISO different than previous ISOs? If so, how to get this key?

Thanks ahead of time.

Well the CHECKSUM file is there, so you will find the checksums in there to verify the ISO’s with. The sig is only to verify that the actual CHECKSUM file is OK.

Hi @iwalker,

Thanks for your reply.

My understanding is that it is important to verify the CHECKSUM file.

Many distros provide instructions on how to verify using a signature.

Eg Alma provides this in their 9.0 release notes:

Download and verify a checksums list:

$ gpg --verify CHECKSUM

Also other users of Rocky have asked how to do this for previous versions such as

And a solution was determined.

And the CHECKSUM.sig file was available for earlier versions of Rocky.

I am wondering why this file has not been made available for 9.0, and also why Rocky does not include verification instructions of the checksum file in release notes?

I’m sure somone from Infrastructure will see this and provide the checksum.sig shortly.

That would be great, thanks. I can certainly understand that not all files can be provided at first release and more time is needed. Thanks to the Rocky team for making 9.0 available :slight_smile:

1 Like

All checksums will be here: GitHub - rocky-linux/checksums: Contains checksums of images, ISO's, and so on for Rocky Linux

The checksums will be here and committed by those of us with GPG keys that have rockylinux.org / resf.org email addresses. The reason why we don’t have CHECKSUM.sig anymore for 9 is because of the new build system and how keykeeper works. For security reasons, we decided that we wouldn’t allow signing files adhoc outside of the build system and instead provide a git repo and a mirror of it with signed commits of the checksums.

There was another poster who actually brought this up initially since our website nor documentation pointed out the CHECKSUM.sig files to begin with. We ultimately decided that using a git repo (and linking it to our website’s download page, coming soon) would make a bit more sense.

While this is mostly for mirrors or those who are curious/explorers into the repository structure of Rocky Linux, we explain it a bit in our metadata README since we knew these questions would arise.

When we get 8 into the mix of the new build system, the same thing will likely occur where there is no longer CHECKSUM.sig files, but that is down the road.

1 Like

@nazunalika ,

Thanks very much for responding to my post.

I am a retired engineer and just a happy and grateful to RESF home user of Rocky workstation, but I don’t have a background in Linux enough to understand everything.

I have always pieced together download and verification procedures not by knowing the principles, but just by seeing how various distros do it.

So I would just like to indicate my understanding of how to verify in this case and if you could please let me know if i am right or not, that would be much appreciated.

The checksums will be here and committed by those of us with GPG keys that have rockylinux.org 1 / resf.org email addresses.

Since you have committed those checksums to github with GPG keys, I take it that means I do not have to verify the checksums myself?

I think this is maybe obvious but just to confirm - to download and verify Rocky 9 ISO:

  1. Download the ISO from
    https://rockylinux.org/download/
    or
    Index of /pub/rocky/9.0/isos/x86_64/

  2. Ignore the CHECKSUM file available at the above links since this file might not be signed/verified

  3. Go to
    GitHub - rocky-linux/checksums: Contains checksums of images, ISO's, and so on for Rocky Linux
    and find the checksum for the ISO that has been downloaded, since this checksum file is signed already

In my case I downloaded
Rocky-9.0-x86_64-dvd.iso
and found the checksum for it in:

  1. No need to worry about importing a signature and verifying the github checksum file since it is already signed as discussed.

  2. Run:
    sha256sum Rocky-9.0-x86_64-dvd.iso

  3. Compare the result of
    sha256sum Rocky-9.0-x86_64-dvd.iso
    against the checksum shown in
    9.0-x86_64.ISO.checksum file
    on github

Again sorry if I am stating the extremely obvious but I just want to make sure I fully understand. Please let me know if this is correct or not. Thanks again for you help.

You don’t have to ignore the checksum file in the links actually. The checksum files are there for the users to validate what they’ve downloaded is correct, which is why we provide the links on the download page.

Where the repository comes in is for us to have a secondary spot where these checksums exist, so if a user is concerned or paranoid, they can check this repository, verify the signed commits and the checksums provided. For most users this won’t be necessary, but there are some folks who want to really double check what they’ve downloaded from us or a mirror to ensure image integrity.

Hi, for the past month or so I have been trying to figure out verify the signed commits and the checksums provided. TBH as a home user of Rocky, this is WAY above my pay grade :slight_smile: , experience and technical know how of how to do this.

I am not making progress understanding things.

Any help with the following is much appreciated:

  1. If it is recommended with Rocky 9 to just download the checksum file from the download link and compare it against the checksum of the ISO, then why would there be a 2nd set of checksum files that are signed on github?

  2. Is it the position then of Rocky Linux that it is secure to just download the ISO and check its checksum against the checksum file? and there is no need to verify the checksum file?

  3. Since it seems most distros do recommend verifying signed commits, and eg Alma Linux still recommends verifying release 9.0, what are the steps I would need to take to verify the signed commits?

Thanks ahead of time