Unable to verify signature on Almalinux 9

I’m getting a “Bad signature” when trying to verify alma9 checksums.
Is there any problem with the checksum files?

Followed instructions here: Generic Cloud (cloud-init) | AlmaLinux Wiki

$ gpg --verify CHECKSUM.asc CHECKSUM
gpg: Signature made mié 02 nov 2022 18:08:28 CET
gpg: using RSA key BF18AC2876178908D6E71267D36CB86CB86B3716
gpg: BAD signature from “AlmaLinux OS 9 packager@almalinux.org” [unknown]

are you trying to verify the cloud image or the live or iso image?

Trying the cloud image

this now works - CHECKSUM sync issue or something:

curl -s https://repo.almalinux.org/almalinux/RPM-GPG-KEY-AlmaLinux-9 -O

gpg --with-subkey-fingerprints RPM-GPG-KEY-AlmaLinux-9

gpg --import RPM-GPG-KEY-AlmaLinux-9

curl -s https://repo.almalinux.org/almalinux/9/cloud/x86_64/images/CHECKSUM -O

curl -s https://repo.almalinux.org/almalinux/9/cloud/x86_64/images/CHECKSUM.asc -O

gpg --verify CHECKSUM.asc CHECKSUM

curl -s https://repo.almalinux.org/almalinux/9/cloud/x86_64/images/AlmaLinux-9-GenericCloud-latest.x86_64.qcow2 -O

sha256sum -c CHECKSUM 2>&1 | grep OK

Thanks! Issue resolved. The new signature works as expected

1 Like