Verify checksum signature

Hey guise, I downloaded the torrent and there’s CHECKSUM{,.sig} in it. Verifying with sha256sum is easy, e.g. sha256sum -c CHECKSUM --ignore-missing

So how about verifying the signature with gpg2? If I do gpg2 --verify CHECKSUM.sig CHECKSUM, I get Can't check signature: No public key. Of course it hasn’t been imported to my keyring yet, cus I couldn’t find it anywhere

It’s always a good idea to verify downloads, especially binaries. It’s quite nice that the torrent includes the required data, tyvm

You can download the Rocky Infrastructure key which is used to sign the ISOs from the mirrors.

I believe it is the one named RPM-GPG-KEY-rockyinfra.

Alternately, you can get the key from the openpgp keyserver.

Thank you. This worked: gpg2 --keyserver hkps://keys.openpgp.org --locate-keys 'infrastructure@rockylinux.org'

Rocky 8.5 is signed with 7051C470A929F454CEBE37B715AF5DAC6D745A60 from the Release Engineering infrastructure@rockylinux.org

# gpg2 --verify CHECKSUM.sig 
gpg: assuming signed data in 'CHECKSUM'
gpg: Signature made 15.11.2021 (пн)  8:07:09 EET
gpg:                using RSA key 7051C470A929F454CEBE37B715AF5DAC6D745A60
gpg: Good signature from "Release Engineering <infrastructure@rockylinux.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 7051 C470 A929 F454 CEBE  37B7 15AF 5DAC 6D74 5A60

# gpg2 --keyserver hkps://keys.openpgp.org --locate-keys 'infrastructure@rockylinux.org'
pub   rsa4096 2021-02-14 [SCE]
      7051C470A929F454CEBE37B715AF5DAC6D745A60
uid           [ unknown] Release Engineering <infrastructure@rockylinux.org>