Validation of the package
When we install the rpm package, we need to check whether it has been altered by serialization, etc. Whether there is a signature -
K
package source validity verification and integrity verification
Integrity verification: SHA256
source legality verification: RSA
public key encryption
Symmetric encryption: use the same key for encryption and
decryption Asymmetric encryption: the key is a pair of
public key: public key, public to everyone
secret key: private key, the public key
required for import cannot be publicly imported
rpm -K|checksig rpmfile check Package integrity and signature
rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
CentOS 7 distribution CD provided: RPM-GPG-KEY-CentOS-7
rpm -qa "gpg- pubkey*"
If you don't want to verify the package when you install the package,
we can import the public key 
because there are two places. The public key is different in time and permissions, but the content is the same, but the content
under /etc/ is not read-only. It may not be safe to change all use the CD and
then we are checking the legitimacy of the tree file
As long as the file is not damaged, it is OK to put the file there and check it with -K.
Before -K, you must put the public key in the CD.
This is the step
rpm --import /run/media/root/CentOS\ 7 \ x86_64/RPM-GPG-KEY-CentOS-7
actually generates the gpg-pubkey-f4a80eb5-53a7ff4b package called "gpg-pubkey*". 
Let's compare it. 
If we don't want the public key, we can uninstall it. Then it shows NOT OK