The basic idea for downloading a CentOS 7 installation image in a secure way is this:
- Download the CentOS public key from a public keyserver.
- By using that key you can verify the signature of the checksum file of the CentOS ISO image.
- With the checksum file you check the downloaded ISO image to see if it is the original file and has not been changed or tampered with.
Here are the steps to take:
0. Most important: Make sure to follow this procedure on a computer that is secure and that you fully trust. Otherwise all of the following steps are pretty much useless.
1. Download the CentOS 7 public key:
gpg --search-keys --keyserver-options proxy-server=http://proxy.local.example:8080 F4A80EB5
(or without using a proxy server: gpg --search-keys F4A80EB5)
Accept the key by typing "1". If there was no key found, try using a specific keyserver with the "--keyserver" option". By default gpg uses "keys.gnupg.net".
Make sure the key has really been imported into your public gpg keyring
gpg --fingerprint -k
The "--fingerprint" option shows the fingerprint of the just imported key. Compare it with the fingerprint on the official CentOS website: https://www.centos.org/keys/
Make sure to double check the SSL certificate of that website in your browser.
2. Download the checksum file for the DVD image. It contains checksums for a large variety of CentOS ISO images:
Check the validity of the checksum file:
gpg --verify sha256sum.txt.asc
3. Check the validity of the downloaded ISO image file:
sha256sum -c centos-sha256sum.txt.asc