Appendix: Validating ClusterWare ISOs

To validate a downloaded Scyld ClusterWare ISO file, first import the gpg key that was used to sign the RPMs and ISOs:

curl -sSL https://updates.penguincomputing.com/RPM-GPG-KEY-PenguinComputing | gpg --import -

Then download the CHECKSUM.asc file from the repo, e.g,:

wget https://<AUTHENTICATION_TOKEN>@updates.penguincomputing.com/clusterware/11/el7/iso/CHECKSUM.asc

and verify the CHECKSUM.asc file:

[admin@head]$ gpg --verify CHECKSUM.asc
gpg: Signature made Mon 07 Feb 2022 07:16:15 PM UTC using DSA key ID 0A1E1108
gpg: Good signature from "Penguin Computing <support@penguincomputing.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: AEFA 2C55 EB4A 88EF BE71  022B 0722 4B0A 0A1E 1108

Confirm that the downloaded ISO is named in CHECKSUM.asc. For example, for clusterware-11.6.0-g0000.el7.x86_64.iso:

grep clusterware-11.6.0-g0000.el7.x86_64.iso CHECKSUM.asc

should find the ISO. Now compare the checksum of the ISO with the ISO named in CHECKSUM.asc:

diff <(sha256sum clusterware-11.6.0-g0000.el7.x86_64.iso) \
     <(grep      clusterware-11.6.0-g0000.el7.x86_64.iso CHECKSUM.asc)

and expect to see no differences.