The basic idea for downloading a CentOS 7 installation image in a secure way is this:
- Download the CentOS public key from a public keyserver.
- By using that key you can verify the signature of the checksum file of the CentOS ISO image.
- With the checksum file you check the downloaded ISO image to see if it is the original file and has not been changed or tampered with.
[CentOS Public Key] -> [Signature of checksum file] -> [ISO image]
Here are the steps to take:
0. Most important: Make sure to follow this procedure on a computer that is secure and that you fully trust. Otherwise all of the following steps are pretty much useless.
1. Download the CentOS 7 public key:
gpg --search-keys --keyserver-options proxy-server=http://proxy.local.example:8080 F4A80EB5
(or without using a proxy server: gpg --search-keys F4A80EB5)
Accept the key by typing "1". If there was no key found, try using a specific keyserver with the "--keyserver" option". By default gpg uses "keys.gnupg.net".
Make sure the key has really been imported into your public gpg keyring
gpg --fingerprint -k
The "--fingerprint" option shows the fingerprint of the just imported key. Compare it with the fingerprint on the official CentOS website: https://www.centos.org/keys/
Make sure to double check the SSL certificate of that website in your browser.
2. Download the checksum file for the DVD image. It contains checksums for a large variety of CentOS ISO images:
Check the validity of the checksum file:
gpg --verify sha256sum.txt.asc
3. Check the validity of the downloaded ISO image file:
sha256sum -c centos-sha256sum.txt.asc