Hey guise, I downloaded the torrent and there’s CHECKSUM{,.sig} in it. Verifying with sha256sum is easy, e.g. sha256sum -c CHECKSUM --ignore-missing
So how about verifying the signature with gpg2? If I do gpg2 --verify CHECKSUM.sig CHECKSUM, I get Can't check signature: No public key. Of course it hasn’t been imported to my keyring yet, cus I couldn’t find it anywhere
It’s always a good idea to verify downloads, especially binaries. It’s quite nice that the torrent includes the required data, tyvm
Rocky 8.5 is signed with 7051C470A929F454CEBE37B715AF5DAC6D745A60 from the Release Engineering infrastructure@rockylinux.org
# gpg2 --verify CHECKSUM.sig
gpg: assuming signed data in 'CHECKSUM'
gpg: Signature made 15.11.2021 (пн) 8:07:09 EET
gpg: using RSA key 7051C470A929F454CEBE37B715AF5DAC6D745A60
gpg: Good signature from "Release Engineering <infrastructure@rockylinux.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 7051 C470 A929 F454 CEBE 37B7 15AF 5DAC 6D74 5A60
# gpg2 --keyserver hkps://keys.openpgp.org --locate-keys 'infrastructure@rockylinux.org'
pub rsa4096 2021-02-14 [SCE]
7051C470A929F454CEBE37B715AF5DAC6D745A60
uid [ unknown] Release Engineering <infrastructure@rockylinux.org>