search

openSUSE / get-o-o

Website that provides detailed information about openSUSE distributions
https://get.opensuse.org
Creative Commons Attribution Share Alike 4.0 International
54 stars 45 forks source link

Checksums are not GPG signed. Instructions show how to GPG verify. #183

Open xgpt opened 8 months ago

xgpt commented 8 months ago

https://get.opensuse.org/tumbleweed/ says:

Verify Your Download Before Use

Many applications can verify the checksum of a download. To verify your download can be important as it verifies you really have got the ISO file you wanted to download and not some broken version.

For each ISO, we offer a checksum file with the corresponding SHA256 sum.

For extra security, you can use sha256sum to verify who signed those .sha256 files.

It should be [AD48 5664 E901 B867 051A B15F 35A2 F86E 29B7 00A4](https://download.opensuse.org/tumbleweed/repo/oss/gpg-pubkey-29b700a4-62b07e22.asc)

For more help verifying your download please read [Checksums Help](https://en.opensuse.org/SDB:Download_help#Checksums)

Please consider removing the GPG verification instructions, or modifying the checksums available for download to indeed be GPG signed.

tacerus commented 2 months ago

The checksum files are signed using a detached signature, can you elaborate what issue you are facing?

$ curl -sL https://download.opensuse.org/tumbleweed/iso/openSUSE-Tumbleweed-DVD-x86_64-Current.iso.sha256.asc|head -n2
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
mdogg-11 commented 2 months ago

I'm not having an issue with anything related to openSUSE on Github.
Someone suggested I take a look at https://git-scm.com/book/en/v2 to help me learn what it is I should be doing. Sorry for the confusion.

Matt

On 2024-07-17 5:11 am, Georg wrote:

The checksum files are signed using a detached signature, can you elaborate what issue you are facing?

$ curl -sL https://download.opensuse.org/tumbleweed/iso/openSUSE-Tumbleweed-DVD-x86_64-Current.iso.sha256.asc|head -n2 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux)

-- Reply to this email directly, view it on GitHub [1], or unsubscribe [2]. You are receiving this because you are subscribed to this thread.Message ID: @.***>

Links:

[1] https://github.com/openSUSE/get-o-o/issues/183#issuecomment-2233171050 [2] https://github.com/notifications/unsubscribe-auth/A5PZFR223YIHJOPAM3MOQIDZMZNPVAVCNFSM6AAAAABLAP436WVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDEMZTGE3TCMBVGA