我从 alt.fedoraproject.org 下载了一个 iso: https://download.fedoraproject.org/pub/fedora/linux/releases/38/Everything/x86_64/iso/Fedora-Everything-netinst-x86_64-38-1.6.iso
然后是校验和和 gpg 信息(尝试将 gpg pub 密钥导入我的密钥环):
wget https://download.fedoraproject.org/pub/fedora/linux/releases/38/Everything/x86_64/iso/Fedora-Everything-38-1.6-x86_64-CHECKSUM | gpg2 --import
[...]
gpg: no valid OpenPGP data found.
gpg: Total number processed:
然后
#gpg2 --verify-files Fedora-Everything-38-1.6-x86_64-CHECKSUM
gpg: Signature made Friday 14 April 2023 07:55:46 AM +00
gpg: using RSA key 6A51BBABBA3D5467B6171221809A8D7CEB10B464
gpg: Can't check signature: No public key
该文件如下所示:
cat Fedora-Everything-38-1.6-x86_64-CHECKSUM
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
# Fedora-Everything-netinst-x86_64-38-1.6.iso: 718284800 bytes
SHA256 (Fedora-Everything-netinst-x86_64-38-1.6.iso) = 4d042dedc8886856db10bc882074b84dcce52f829ea7b3f31d8031db8d84df20
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEalG7q7o9VGe2FxIhgJqNfOsQtGQFAmQ5BwIACgkQgJqNfOsQ
tGTtpA//cPYmUDm1wKUorqdheszMCC2vgPHb1Eldg+WS6Ltqk4c4w2PyIFI4SHZX
LEC9KDDeR3BKPFMxoH6I1+MZjvVNoIm02saVsQtwOohvO0fIifxPuO0R3qEJYmvq
DOHTUGjOXKoW8VYx5OHe/XMCHdxYwttOayr/Q08Pyxm4MF54KzcR+URxZ/qcmHZq
ypM/twbLQzRXTLc2us+OCtDMDaCYJTSyw+c2UNGJpvU2GbTUMWu+0NAVCp58Kxoi
Q90Gp9pmqTFVi1i5JtJVYhofpsBd5xIigGvetwnXcK5QOYm2MSQoi8lZTxvCOxIC
gviIEsG+G+G3gZmVmg1OGqpysd+9wF7TeB6v6fOBSPMk8lpYKVsMw2IdTmHUuJu5
iDGHV594JW1UaMoFhBt1BQHKAxtJ5UxYJXxy0bhjtsab3P2ralwfBaf55NcZX6kc
4UjRif952qvLj1xIBHY7BsKhzDX7ATvMwT8fa3v3K9Hzk0+cFqQepx5ijomU+M5P
RY9oY58Kk9AH98ePswKC5kgS8Fuwiq0aojRaDkotqyvS16TeUKKGARGQeFA8QGDo
alwkLE3QnDBbOSoid9xOktwUQA6C9nY5b3GJvqnTJfX1uHRgbkFqyy9kXUNq+ryM
no3WZeGWB4BPxpZuGx4zhpqOHfin++VIlojySEiOUwDuCgyP1Uw=
=H199
-----END PGP SIGNATURE-----
shasum 验证工作正常,因此完整性没问题,但我仍然需要验证 iso 文件。
所以我尝试:
$:gpg2 -v --recv-keys 6A51BBABBA3D5467B6171221809A8D7CEB10B464
gpg: no running Dirmngr - starting '/usr/bin/dirmngr'
gpg: waiting for the dirmngr to come up ... (5s)
gpg: connection to dirmngr established
gpg: data source: https://keys.openpgp.org:443
gpg: armor header: Comment: 6A51 BBAB BA3D 5467 B617 1221 809A 8D7C EB10 B464
gpg: pub rsa4096/809A8D7CEB10B464 2022-02-08
gpg: key 809A8D7CEB10B464: new key but contains no user ID - skipped
gpg: Total number processed: 1
gpg: w/o user IDs: 1
没有 UID 的钥匙有什么价值?
我该如何验证我下载的文件?
谢谢大家!