Oracle Linux Products Authenticity Verification

About Verifying Oracle Linux ISO Downloads

You can verify Oracle Linux ISO files to establish their integrity and ensure that they were downloaded without any corruption or external interference.
This page describes the steps to verify both of these things regardless of the original download source.

Steps to Verify Oracle Linux Downloads

To verify a downloaded Oracle Linux ISO, you need:

A checksum file corresponding to the ISO file you downloaded
The public GPG key to verify the checksum file signature

The checksum file contains a list of files that are part of a download package with the corresponding checksums as well as a GPG signature. The GPG signature enables anyone to verify that checksum file was published by Oracle. The steps below describe how to verify the checksum file itself and then verify the contents of the Oracle Linux ISO you downloaded by checking it against the checksum file.

Import an Oracle Linux GPG key

You can download and import an Oracle Linux GPG key in a single step. For example, to download and import the Oracle Linux 9 GPG key, run the following command:

# curl https://yum.oracle.com/RPM-GPG-KEY-oracle-ol9 | gpg --import

For more information, and download links for other Oracle Linux release keys, see the "Oracle Linux GPG Keys" section below.

Download and Verify a Checksum File

Download the appropriate checksum file and place it in the same directory as the Oracle Linux download.
Use the "gpg --verify" command to establish the integrity of the checksum file. For example, to verify the checksum file for Oracle Linux 8, use the following command:

# gpg --verify OracleLinux-R8-U1-Server-x86_64.checksum

Verify the Downloaded ISO file

Use the "sha256sum -c" command to verify the ISO checksum for the corresponding entry in the release checksum file.
For example, to verify Oracle Linux 8 ISO file integrity, use the following command:

# grep OracleLinux-R8-U1-Server-x86_64.iso OracleLinux-R8-U1-Server-x86_64.checksum | sha256sum -c

Oracle Linux Releases and Checksum Files

The following list provides links to checksum files based on Oracle Linux Release and available architecture.

Oracle Linux 10

Oracle Linux 9

Oracle Linux 8

Oracle Linux 7

Oracle Linux 6

You can also verify ISO images and RPM packages for older Oracle Linux releases. For more information, see the checksum archive list page.

Verifying RPM Packages

YUM and DNF package management systems uses the "gpgcheck=1" configuration option to perform package signature verification when installing a package.
Oracle Linux repository configuration files from /etc/yum.repos.d folder and the main /etc/yum.conf or /etc/dnf.conf file have this option enabled by default.
Note: The command line option "--nogpgcheck" allows you to disable signature verification if it is not needed.

If RPM GPG key is not yet available in the rpm keys database, "yum" or "dnf" utilities, when installing a package, will propose to import a key by defining the "gpgkey=URI" parameter in the repository configuration.
Official Oracle Linux release repositories reference to the local RPM GPG key file available with the distribution and stored in /etc/pki/rpm-gpg folder (for example, /etc/pki/rpm-gpg/RPM-GPG-KEY-oracle),
but in some cases, the repository "gpgkey" parameter may also point to a remote web link.

Packages from "Developer" or "Technology Preview" repository channels are signed with Oracle Linux Development Keys.
To install packages from those channels, when package verification is enabled on the system, the system administrator must download and import the corresponding Development GPG key by using the "rpm --import " command.

You can verify the oracle Linux RPM package signature using the "rpm" command line tool.
For example, to verify the package file signature against the imported GPG key, use command:

# rpm -K oraclelinux-release-8.9-1.0.8.el8.x86_64.rpm
oraclelinux-release-8.9-1.0.8.el8.x86_64.rpm: digests signatures OK

Output "SIGNATURES NOT OK" means gpg key is not available for the system and need to be imported first.
The command to import new key to the rpm keys database is, for example:

# sudo rpm --import RPM-GPG-KEY-oracle-ol9

The command to return list of imported keys to the rpm keys database is:

# rpm -qa | grep gpg-pubkey*

In order to review imported key information use command below, for example:

# rpm -qi gpg-pubkey-8d8b756f-629e59ec

To remove a specific imported key from the rpm database run the following command, for example:

# sudo rpm -e gpg-pubkey-8d8b756f-629e59ec

Oracle Linux GPG keys

The following keys are currently in use by the Oracle Linux project.
To verify the GPG key fingerprint matches the Oracle Linux key, use the "gpg" command.
For example, to review the downloaded GPG key fingerprint, use the following commands:

Download the GPG key file:

# curl  https://yum.oracle.com/RPM-GPG-KEY-oracle-ol6 -o RPM-GPG-KEY-oracle

Review the downloaded GPG key fingerprint:

Oracle Linux 6/7:

# gpg --quiet --with-fingerprint RPM-GPG-KEY-oracle

Oracle Linux 8/9:

# gpg --show-keys --with-fingerprint RPM-GPG-KEY-oracle

Release GPG Signing Keys

This release GPG key is used for signing Oracle Linux products.
The default location for Oracle Linux GPG key is /etc/pki/rpm-gpg/RPM-GPG-KEY-oracle.

Each Oracle Linux release has its own GPG key, public available at the following links:

Oracle Linux 6 and Oracle Linux 7

pub   rsa2048/0x72F97B74EC551F03 2010-07-01 [SC] [expires: 2030-12-31]
      Key fingerprint = 4214 4123 FECF C55B 9086  313D 72F9 7B74 EC55 1F03
uid                             Oracle OSS group (Open Source Software group) <build@oss.oracle.com>

Oracle Linux 8

pub   rsa4096/0x82562EA9AD986DA3 2019-04-09 [SC] [expires: 2039-04-04]
      Key fingerprint = 76FD 3DB1 3AB6 7410 B89D  B10E 8256 2EA9 AD98 6DA3
uid                             Oracle OSS group (Open Source Software group) <build@oss.oracle.com>
sub   rsa4096/0x222F15DFD95DC12B 2019-04-09 [E] [expires: 2039-04-04]

Oracle Linux 9 and Oracle Linux 10

pub   rsa4096/0xBC4D06A08D8B756F 2022-01-19 [SC] [expires: 2042-01-14]
      Key fingerprint = 3E6D 826D 3FBA B389 C2F3  8E34 BC4D 06A0 8D8B 756F
uid                             Oracle Linux (release key 1) <secalert_us@oracle.com>
sub   rsa4096/0xCEA2C8752E708C25 2022-01-19 [E] [expires: 2041-06-01]
pub   rsa4096/0xA7DD07088B4EFBE6 2022-01-19 [SC] [expires: 2042-01-14]
      Key fingerprint = 9822 3175 9C74 6706 5D0C  E9B2 A7DD 0708 8B4E FBE6
uid                             Oracle Linux (backup key 1) <secalert_us@oracle.com>
sub   rsa4096/0x16E38751DA900791 2022-01-19 [E] [expires: 2041-06-02]

Development GPG Signing Keys

Oracle Development GPG signing keys are not locally available on the installed Oracle Linux systems.
In order to validate package signatures generated with development keys, the system administrator must download and import the development keys manually by using the command:

# sudo rpm --import https://yum.oracle.com/RPM-GPG-KEY-oracle-development

Package management dnf or yum systems may also use *.repo configuration file for importing GPG key from URL.
A custom configuration file can be created for the development repository with "gpgkey=URI" parameter where URI references to the downloaded local public key file or to the remote GPG key file web link, for example:

[ol_developer_repository]
name=Oracle Linux Developer Repository
baseurl=
gpgkey=https://yum.oracle.com/RPM-GPG-KEY-oracle-development
...

When installing a package from this repository, GPG key from gpgkey URI will be proposed for importing in the system rpm keys database.

This key used for signing Oracle Linux Technology Preview products is public available at the following link:

Oracle Linux Development

pub   rsa4096/0xE4A8134ED3780CDA 2022-01-19 [SC] [expires: 2042-01-14]
      Key fingerprint = 4901 48F5 9775 0B1C BAD7  2DE9 E4A8 134E D378 0CDA
uid                             Oracle Linux (development key 1) <secalert_us@oracle.com>
sub   rsa4096/0xF9E8B0096FF0485C 2022-01-19 [E] [expires: 2041-06-02]