Comment # 2
on bug 911497
from Bernhard Wiedemann
I agree that providing
http://download.opensuse.org/distribution/13.2/iso/openSUSE-13.2-DVD-x86_64.iso.asc
is the best thing we can do.
With that, downloaders can use gpg to check the integrity and authenticity of
the software independently of how and where they got it.
The same applies to repos for software-updates where the repo-metadata
containing hashes of rpms is pgp-signed (in addition to rpms being signed
individually).
HTTPS (via SSL/TLS) relies on CAs as trusted trird parties which
a) has the weakest-link-problem that any of the 1000 trusted CAs can create
certificates for any website and
b) it turned out that even major CAs were compromized in the past and
c) it is impossible to provide a decentralized mirror-infrastructure like
openSUSE's with HTTPS (because we can not give everyone the key)
So the recommended method to check it, would be:
wget
http://download.opensuse.org/distribution/13.2/iso/openSUSE-13.2-DVD-x86_64.iso{,.asc}
gpg --recv-key 22C07BA534178CD02EFE22AAB88B2FD43DBDC284
gpg -d openSUSE-13.2-DVD-x86_64.iso.asc
which should return something like
> gpg: Signature made Tue 04 Nov 2014 13:36:36 CET using RSA key ID 3DBDC284
> gpg: Good signature from "openSUSE Project Signing Key <opensuse@opensuse.org>"