- Newest
- Most votes
- Most comments
You are correct that AWS doesn't provide a dedicated security key page identical to RedHat's. However, the official fingerprint for the Amazon Linux 2 key is documented in the Amazon Linux 2 FAQs.
Under the "Package Security" section:
- Key ID: C87F5B1A
- Fingerprint: 99E6 17FE 5DB5 27C0 D8BD 5F8E 11CF 1F95 C87F 5B1A
If you want to verify the key's integrity against the source during an automated build or audit, you can use this one-liner to fetch and check the fingerprint directly from the Amazon repo:
curl -s https://amazonlinux-2-repos-us-east-1.s3.dualstack.us-east-1.amazonaws.com/RPM-GPG-KEY-amazon-linux-2 | gpg --import --import-options show-only --with-fingerprint
This confirms the key you have in /etc/pki/rpm-gpg/ is legitimate.
This matches the output of your gpg command exactly. For additional peace of mind, you can also pull the key directly from the official AWS S3 repository via HTTPS to verify it hasn't been tampered with locally. However, the official fingerprint for the Amazon Linux 2 key is documented in the Amazon Linux 2 FAQs under the 'Package Security' section -> https://aws.amazon.com/amazon-linux-2/faqs/ .
Relevant content
- asked 5 years ago
- asked a year ago
- AWS OFFICIALUpdated 3 months ago
- AWS OFFICIALUpdated 3 years ago
Can you provide an example of what what RPM you are trying to verify?
@jhmartin1 I'm trying to verify the RPM GPG Key itself on Amazon Linux 2 located here -> /etc/pki/rpm-gpg/RPM-GPG-KEY-amazon-linux-2
I was going to suggest using the web-of-trust starting from the AWS Security PGP key at https://aws.amazon.com/security/aws-pgp-public-key/ , but that key isn't the same aws-security pgp key that signed the RPM key https://pgpkeys.mit.edu/pks/lookup?op=vindex&search=0x11CF1F95C87F5B1A . Unfortunate.