The checksums will be here and committed by those of us with GPG keys that have rockylinux.org / resf.org email addresses. The reason why we don’t have CHECKSUM.sig anymore for 9 is because of the new build system and how keykeeper works. For security reasons, we decided that we wouldn’t allow signing files adhoc outside of the build system and instead provide a git repo and a mirror of it with signed commits of the checksums.
There was another poster who actually brought this up initially since our website nor documentation pointed out the CHECKSUM.sig files to begin with. We ultimately decided that using a git repo (and linking it to our website’s download page, coming soon) would make a bit more sense.
While this is mostly for mirrors or those who are curious/explorers into the repository structure of Rocky Linux, we explain it a bit in our metadata README since we knew these questions would arise.
When we get 8 into the mix of the new build system, the same thing will likely occur where there is no longer CHECKSUM.sig files, but that is down the road.
You don’t have to ignore the checksum file in the links actually. The checksum files are there for the users to validate what they’ve downloaded is correct, which is why we provide the links on the download page.
Where the repository comes in is for us to have a secondary spot where these checksums exist, so if a user is concerned or paranoid, they can check this repository, verify the signed commits and the checksums provided. For most users this won’t be necessary, but there are some folks who want to really double check what they’ve downloaded from us or a mirror to ensure image integrity.
Hi, for the past month or so I have been trying to figure out verify the signed commits and the checksums provided. TBH as a home user of Rocky, this is WAY above my pay grade , experience and technical know how of how to do this.
I am not making progress understanding things.
Any help with the following is much appreciated:
If it is recommended with Rocky 9 to just download the checksum file from the download link and compare it against the checksum of the ISO, then why would there be a 2nd set of checksum files that are signed on github?
Is it the position then of Rocky Linux that it is secure to just download the ISO and check its checksum against the checksum file? and there is no need to verify the checksum file?
Since it seems most distros do recommend verifying signed commits, and eg Alma Linux still recommends verifying release 9.0, what are the steps I would need to take to verify the signed commits?