I followed the instructions here: http://fedoraproject.org/en/keys
as best I can -- and I wouldn't bother with it but I may want to do this again; so I'd like to figure it out.

I'm on CentOS 5.4, I imported the keys ok and when I do the rpm command this is what happens:
rpm {-K|--checksig} F12-Beta-x86_64-Live.iso
bash: --checksig}: command not found
RPM version 4.4.2.3

I did manage to get a sha256 sum of the iso, thusly:
sha256sum F12-Beta-x86_64-Live.iso
a03cde18f52d767b7542274294556da1d9a70c1e702a6664da 78fe805ea865fa F12-Beta-x86_64-Live.iso
but I have no place to confirm if it's valid ??:

When I did the gpg verify, this is what I get:
gpg --verify *-CHECKSUM
gpg: directory `/root/.gnupg' created
gpg: new configuration file `/root/.gnupg/gpg.conf' created
gpg: WARNING: options in `/root/.gnupg/gpg.conf' are not yet active during this run
gpg: keyring `/root/.gnupg/pubring.gpg' created
gpg: can't open `*-CHECKSUM'
gpg: verify signatures failed: file open error
I tried this the first time as my non-root user, and got the file open error so I su'd into root and it appeared to get farther, but still got an error.

When it originally imported the keys, the value matched for F12 (namely:
gpg: key 57BBCCBA: public key "Fedora (12) <fedora@fedoraproject.org>" imported)

I'm feeling pretty clueless, I'm just going to burn the CD but I'd like to know what I'm missing here? Mostly for future reference (and others who may have similar issues...) :confused:

If all you need to do is verify an image then please see section 3 --> http://www.centos.org/docs/5/html/CD_burning_howto.html

That doc is much cleaner.



BTW, usually when you see something like
rpm {-K|--checksig} PACKAGE_FILE ...
it means that -K and --checksig are the same thing one is just shorter than the other.
rpm -K PACKAGE_FILE ...

thanks Dies,

The CentOS instructions talk about an MD5 sum, which is fine, but I don't have an md5 sum of the original file to compare the results.

At any rate, the CD booted and now I'm off to post another message about the results (i.e. Anaconda crashed).

thanks Dies,

The CentOS instructions talk about an MD5 sum, which is fine, but I don't have an md5 sum of the original file to compare the results.


Your welcome. You can usually find those on the same server where you downloaded the iso, if you're paranoid grab the iso from one server and the hash from another.

For example, for Fedora 11:

http://fedora.secsup.org/linux/releases/11/Fedora/i386/iso/Fedora-11-i386-CHECKSUM
sha256sum /<path to Fedora 11 iso>

If you used bittorrent then not only will the CHECKSUM file be in the same folder, but the file would have been checked as it was downloaded by the client anyways.

Once you have the above-mentioned *-CHECKSUM file, you can simply type

sha256sum -c F12-Beta-x86_64-Live-CHECKSUM

and it will compare automatically against the sum listed in the file. Just make sure that the .iso and the -CHECKSUM file are in the same directory. I find this easier than looking at those long SHA256 strings.