I have a requirement to verify the RPM GPG Key fingerprint, but cannot find it anywhere online. I just need something like RedHat provides here -> https://access.redhat.com/security/team/key
Running the command below to obtain the fingerprint from the RPM GPG key. Where is the webpage or resource to verify that "Yes! This is the correct key"?
gpg -q --with-fingerprint /etc/pki/rpm-gpg/RPM-GPG-KEY-amazon-linux-2
pub 4096R/C87F5B1A 2017-06-07 Amazon Linux <amazon-linux@amazon.com>
Key fingerprint = 99E6 17FE 5DB5 27C0 D8BD 5F8E 11CF 1F95 C87F 5B1A
Can you provide an example of what what RPM you are trying to verify?
@jhmartin1 I'm trying to verify the RPM GPG Key itself on Amazon Linux 2 located here -> /etc/pki/rpm-gpg/RPM-GPG-KEY-amazon-linux-2
I was going to suggest using the web-of-trust starting from the AWS Security PGP key at https://aws.amazon.com/security/aws-pgp-public-key/ , but that key isn't the same aws-security pgp key that signed the RPM key https://pgpkeys.mit.edu/pks/lookup?op=vindex&search=0x11CF1F95C87F5B1A . Unfortunate.